DNS Exploit Attempts??
Emery Rudolph
emery.rudolph at gmail.com
Wed Jul 30 16:58:42 UTC 2008
Thanks Dawn,
I must have misunderstood the blackhole directive. I thought it was strictly
for blocking nameserver - nameserver queries as opposed to a client that
points directly at you by making you their primary nameservice.
If this problem flares up again, I will definitely try the option. :-)
On Wed, Jul 30, 2008 at 12:20 PM, Dawn Connelly <dawn.connelly at gmail.com>wrote:
> Hehehe, that address is coming from Russia so you can pretty much assume
> it's badness.
>
> If you don't want to wait for your firewall team for future events like
> this, you can always blacklist them too.
>
> blackhole { address_match_list };
>
>
> On Wed, Jul 30, 2008 at 8:55 AM, Terpasaur <emery.rudolph at gmail.com>wrote:
>
>> Good morning.
>>
>> I upgraded our last resolver this morning to the new P1 code and
>> turned on "rndc querylog". I am seeing a steady stream of these
>> messages with the same IP at a rate of about 100/min.
>>
>> Jul 30 11:50:39 ns2 named[2780]: [ID 873579 daemon.info] security:
>> info: client 194.85.88.199#22941: query (cache) './ANY/IN' denied
>>
>> Is this an example of the cache exploit attempt?
>>
>> I've already spoken with our INET team about blocking the IP at the
>> firewall a couple of days to see if the automated mechanism stops
>> because of denied access, or if it continues regardless.
>>
>> Thanks,
>>
>> Emery Rudolph
>> Sr. Systems Analyst
>> Office of Information Technology
>> University of Maryland University College
>> Email: Erudolph at umuc.edu
>>
>>
>>
>>
>
More information about the bind-users
mailing list