huge count of DNS deny hits

Fajar A. Nugraha work at fajar.net
Wed Jan 11 08:29:48 UTC 2012


On Wed, Jan 11, 2012 at 1:27 PM, babu dheen <babudheen at yahoo.co.in> wrote:
>
> Dear Fajar,
>
>  Below logs taken from Internal DNS server running in Microsoft DNS.

Then why did you ask this list instead of contacting MS support?

> I checked with client AV status, everything is fine( system is up to date with DAT from Mcafee AV and no threat found in the complete scan output).
>
> But really no idea.. why it happens..  Client is pointed to use different DNS server but DNS flood query is being sent to another DNS server

AV doesn't catch all threats.

Anyway, from bind's perspective, a dns query asking for bind version
is a valid TXT query. But the query can be used by malware,
vulnerability scanners, or hackers looking for vulnerable bind
versions.

In a way, it's similar to ICMP echo (i.e. ping) packets. It's a valid
packet, but a lot of virus/malware is using it to determine which
neighbour hosts to attack. How do you handle ICMP flood cases? The
same mechanism should be applicable in this case.

-- 
Fajar



More information about the bind-users mailing list