Suspecious DNS traffic

babu dheen babudheen at yahoo.co.in
Sun Mar 24 15:53:16 UTC 2013


Dear,

We have Caching DNS server and certain PTR record(reverse entry verification purpose) only is allowed from internet. But I am observing suspicious DNS traffic from my BIND caching DNS server towards 67.215.80.15,67.215.80.13,207.192.69.4,67.227.239.85 IP address  on destination port 1033,1090,1743, etc. Since we haven't allowed non standard port from our DNS server to public DNS server, its dropped in firewall.

Any idea as to why our company DNS server is contacting external IP on non standard port?

 

Below is the logs taken from DNS server on one of the destination IP address.
############################################################################


client 67.215.80.15#58230: view localhost_resolver: query (cache) '109.232.12.217.in-addr.arpa/PTR/IN' denied
client 67.215.80.15#18395: view localhost_resolver: query (cache) '86.232.12.217.in-addr.arpa/PTR/IN' denied
client 67.215.80.15#34068: view localhost_resolver: query (cache) '114.232.12.217.in-addr.arpa/PTR/IN' denied
client 67.227.239.85#20915: view localhost_resolver: query (cache) '150.232.12.217.in-addr.arpa/PTR/IN' denied
client 67.227.239.85#64724: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied
client 67.227.239.85#16374: view localhost_resolver: query (cache) '150.232.12.217.in-addr.arpa/PTR/IN' denied
client 67.227.239.85#30391: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied
client 67.227.239.85#17745: view localhost_resolver: query (cache) '150.232.12.217.in-addr.arpa/PTR/IN' denied
client 67.227.239.85#36163: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied
client 67.227.239.85#6391: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied
client 67.227.239.85#37586: view localhost_resolver: query (cache) '150.232.12.217.in-addr.arpa/PTR/IN' denied
client 67.227.239.85#55208: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied
client 67.227.239.85#40076: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied

Below is the firewall logs:
#########################
action=Deny sent=0 rcvd=112 src=our_company_DNS_server_ip dst=67.215.80.15 src_port=53 dst_port=16529
action=Permit sent=0 rcvd=0 src=67.215.80.15 dst=our_company_DNS_server_ip src_port=52370 dst_port=53 


Regards
Babu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130324/b8f57253/attachment.html>


More information about the bind-users mailing list