Suspecious DNS traffic
    Mark Andrews 
    marka at isc.org
       
    Sun Mar 24 21:33:12 UTC 2013
    
    
  
In message <1364140396.42023.YahooMailNeo at web190806.mail.sg3.yahoo.com>, babu d
heen writes:
> 
> Dear,
> 
> We have Caching DNS server and certain PTR record(reverse entry 
> verification purpose) only is allowed from internet. But I am observing 
> suspicious DNS traffic from my BIND caching DNS server towards 
> 67.215.80.15,67.215.80.13,207.192.69.4,67.227.239.85 IP address  on 
> destination port 1033,1090,1743, etc. Since we haven't allowed non 
> standard port from our DNS server to public DNS server, its dropped in 
> firewall.
> 
> Any idea as to why our company DNS server is contacting external IP on 
> non standard port?
It's contacting it on port 53.  You are allowing the query out but
denying the response.
 
> Below is the logs taken from DNS server on one of the destination IP 
> address.
> ##########################################################################
> ##
> 
> 
> client 67.215.80.15#58230: view localhost_resolver: query (cache) 
> '109.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.215.80.15#18395: view localhost_resolver: query (cache) 
> '86.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.215.80.15#34068: view localhost_resolver: query (cache) 
> '114.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#20915: view localhost_resolver: query (cache) 
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#64724: view localhost_resolver: query (cache) 
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#16374: view localhost_resolver: query (cache) 
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#30391: view localhost_resolver: query (cache) 
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#17745: view localhost_resolver: query (cache) 
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#36163: view localhost_resolver: query (cache) 
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#6391: view localhost_resolver: query (cache) 
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#37586: view localhost_resolver: query (cache) 
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#55208: view localhost_resolver: query (cache) 
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#40076: view localhost_resolver: query (cache) 
> '232.12.217.in-addr.arpa/NS/IN' denied
> 
> Below is the firewall logs:
> #########################
> action=Deny sent=0 rcvd=112 src=our_company_DNS_server_ip 
> dst=67.215.80.15 src_port=53 dst_port=16529
> action=Permit sent=0 rcvd=0 src=67.215.80.15 
> dst=our_company_DNS_server_ip src_port=52370 dst_port=53 
> 
> 
> Regards
> Babu
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
    
    
More information about the bind-users
mailing list