huge count of DNS deny hits
Fajar A. Nugraha
work at fajar.net
Wed Jan 11 05:25:57 UTC 2012
On Wed, Jan 11, 2012 at 12:11 PM, babu dheen <babudheen at yahoo.co.in> wrote:
>
> Hi,
>
> I enabled the logs in DNS server and i found below lines from this client continiously..
>
> 1/10/2012 9:14:30 AM 0FDC PACKET 0000000005B489B0 UDP Snd <Client IP> 1f23 Q [0005 A D NOERROR] TXT (7)version(4)bind(0)
> 1/10/2012 9:14:30 AM 0FDC PACKET 0000000007342360 UDP Rcv <Client IP> c63c Q [0005 A D NOERROR] TXT (7)version(4)bind(0)
> 1/10/2012 9:14:30 AM 0FDC PACKET 0000000007342360 UDP Snd <Client IP> c63c Q [0005 A D NOERROR] TXT (7)version(4)bind(0)
> 1/10/2012 9:14:30 AM 0FDC PACKET 0000000004D728F0 UDP Rcv <Client IP> a96a Q [0005 A D NOERROR] TXT (7)version(4)bind(0)
>
What log is this? AFAIK BIND log does not look like this. Is this firewall log?
> Is it something to do with Malticast DNS.
... and how did you determine that? wild guess?
> Can you give me more details about Multicast DNS
Try google, although I don't think that's your problem.
It might simply be the case that the client is infected with
virus/malware which targets vulnerability in certain versions of bind,
so it'd make sense that it first sends out a DNS query that asks for
bind version number (e.g.
http://www.brandonhutchinson.com/Determining_hiding_BIND_version_number.html)
Some things you might be able to do:
- setup a firewall rule that can ratelimit udp packets from any client
(e.g. iptables can do this)
- make sure your bind versions is up-to-date (well, it's true for any
other software)
- configure named.conf not to show it's version (use Google or bind
manual to find out how)
With those three steps in place, it shouldn't matter what queries the
client does, as the system will either ignore it, reply with useless
information, or automatically block it. However, if it still cause
problems (e.g. lots of UDP traffic eat up your bandwitdh), then simply
block the client manually.
--
Fajar
More information about the bind-users
mailing list