Script-kiddie / client <IP> query (cache) '<host>/MX/IN' denied

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Aug 4 08:28:39 UTC 2010 

On 03.08.10 18:01, Denis BUCHER wrote:
> I have a question, it's not really a big problem, but it's annoying.
>
> In the logs I get plenty of lines like :
>> client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 Time(s)
>> client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 Time(s)
>> client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s)
>
> This seems to be due to a script-kiddie.

I don't think so. It may be someone who used your server when connected to
your network and didn't change resolvers list after, someone who mistyped
IP address, or someone who guessed that your server might provide recursive
DNS for him (because of any reason).

> I would like to know if I can block hosts doing that at the level of  
> /etc/hosts.allow or should I do it at the level of Bind itself ?

hosts.allow is configuration of tcp wrappers library which is NOT used by
bind nor by some other software. 


For abusers sending too many requests I have created special view containing
only root zone with * pointing to localhost address. While this is quite
BOFHish, it works. 

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."

More information about the bind-users mailing list