Malicious DNS request?
Hi, In past days I noticed the nxdomain statistics in named.stats keeps increasing.( I run it every 5 min) By tcpdump, it's found a remote computer keep asking address for record like 999d38e693b9e6293b450.0existence.com, 60d38e693b9e6293b450.0be6c1xfa.net. is that a virus affacted computer? How could such request be filtered or minimize its affaction on DNS server? regards Joe __________________________________________________ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Joe Shen wrote:
Hi,
In past days I noticed the nxdomain statistics in named.stats keeps increasing.( I run it every 5 min)
By tcpdump, it's found a remote computer keep asking address for record like 999d38e693b9e6293b450.0existence.com, 60d38e693b9e6293b450.0be6c1xfa.net.
is that a virus affacted computer?
How could such request be filtered or minimize its affaction on DNS server?
Either this is a DDoS (woohoo!! I used the forbidden word) or you are seeing a botnet trying to connect and putting in some smoke-screen while at it to try and poison dns-top. I'd suggest dropping requests for domains you don't hold. Gadi.
At 12:41 PM +0400 2005-05-12, Gadi Evron quoted Joe Shen:
How could such request be filtered or minimize its affaction on DNS server?
Either this is a DDoS (woohoo!! I used the forbidden word) or you are seeing a botnet trying to connect and putting in some smoke-screen while at it to try and poison dns-top.
I'd suggest dropping requests for domains you don't hold.
That's kind of hard to do if you're running a recursive/caching nameserver. -- Brad Knowles, <brad@stop.mail-abuse.org> "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See <http://www.sage.org/> for more info.
On Thu, 12 May 2005 16:43:07 +0200, Brad Knowles said:
At 12:41 PM +0400 2005-05-12, Gadi Evron quoted Joe Shen:
I'd suggest dropping requests for domains you don't hold. That's kind of hard to do if you're running a recursive/caching nameserver.
Well.. are you running a recursive/caching nameserver for everybody on the internet to use, or only for your customers? If the request isn't from inside your address space, and it's a "recursion requested" for a zone you don't hold, maybe they're asking the wrong DNS server. (And yes, I know that if you have a roaming user who's outside your address space but has hard-coded your DNS IP's in their resolv.conf, it gets trickier. The right answer here depends on your customer base.) It's often suggested that you have *two* DNS setups - one that only answers requests from inside for recursion and caching, and an authoritative one that faces out and refuses to recurse. The inside one will cache the outside one fast enough in most environments. (No, this doesn't stop all the possible DNS malfeasance, but it certainly raises the bar a good chunk...)
At 11:26 AM -0400 2005-05-12, Valdis.Kletnieks@vt.edu wrote:
It's often suggested that you have *two* DNS setups - one that only answers requests from inside for recursion and caching, and an authoritative one that faces out and refuses to recurse.
The original question from Joe Shen said that a remote computer was asking questions about certain servers, but did not specify whether or not the "remote computer" in question was a customer. Gadi's response was to refuse to answer requests for domains that you don't own, which didn't address the issue of whether or not the "remote computer" was a customer, or what kind of server that Joe was running. Your answer is the complete and correct one, at least for the technical issue of how you should br running your nameservers so that you avoid external abuse and reduce the probability of having your DNS servers compromised. It's taken us a while to get to this correct and complete answer, however. -- Brad Knowles, <brad@stop.mail-abuse.org> "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See <http://www.sage.org/> for more info.
On 5/12/05, Joe Shen <joe_hznm@yahoo.com.sg> wrote:
By tcpdump, it's found a remote computer keep asking address for record like 999d38e693b9e6293b450.0existence.com, 60d38e693b9e6293b450.0be6c1xfa.net.
is that a virus affacted computer?
Sure looks like some kind of massmailer trojan, or a affiliate program based spam sending software like Atriks. These two domains you quoted have rather interesting whois records, particularly 0existence.com .. Domain Name.......... 0existence.com Creation Date........ 2004-10-23 Registration Date.... 2004-10-23 Expiry Date.......... 2009-10-23 Organisation Name.... William Peter Organisation Address. 52 THIRD AVENUE Organisation Address. Organisation Address. Woonsocket Organisation Address. 02895 Organisation Address. RI Organisation Address. UNITED STATES Admin Name........... William Peter Admin Address........ 52 THIRD AVENUE Admin Address........ Admin Address........ Woonsocket Admin Address........ 02895 Admin Address........ RI Admin Address........ UNITED STATES Admin Email.......... doi.looklikeafucktardtoyou@0existence.com Admin Phone.......... +1.4067672231 Admin Fax............ Tech Name............ Existence Corporation Tech Address......... 701 First Ave. Tech Address......... Tech Address......... Sunnyvale Tech Address......... 94089 Tech Address......... CA Tech Address......... UNITED STATES Tech Email........... doi.looklikeafucktardtoyou@0existence.com Tech Phone........... +1.6198813096 Tech Fax............. +1.6198813010 -- Suresh Ramasubramanian (ops.lists@gmail.com)
participants (5)
-
Brad Knowles -
Gadi Evron -
Joe Shen -
Suresh Ramasubramanian -
Valdis.Kletnieks@vt.edu