Suspecious DNS traffic

babu dheen babudheen at yahoo.co.in
Mon Mar 25 08:59:56 UTC 2013


Hi,
 
 I am able to query one of the PTR record available in my company BIND caching DNS server from internet(ANY IP address) successfully. As per your statement, If I am denying the response, how could I get response successfully?
 
Regards
Babu
 
 

________________________________
 From: Mark Andrews <marka at isc.org>
To: babu dheen <babudheen at yahoo.co.in> 
Cc: "bind-users at lists.isc.org" <bind-users at isc.org> 
Sent: Monday, 25 March 2013 12:33 AM
Subject: Re: Suspecious DNS traffic
  

In message <1364140396.42023.YahooMailNeo at web190806.mail.sg3.yahoo.com>, babu d
heen writes:
> 
> Dear,
> 
> We have Caching DNS server and certain PTR record(reverse entry 
> verification purpose) only is allowed from internet. But I am observing 
> suspicious DNS traffic from my BIND caching DNS server towards 
> 67.215.80.15,67.215.80.13,207.192.69.4,67.227.239.85 IP address  on 
> destination port 1033,1090,1743, etc. Since we haven't allowed non 
> standard port from our DNS server to public DNS server, its dropped in 
> firewall.
> 
> Any idea as to why our company DNS server is contacting external IP on 
> non standard port?

It's contacting it on port 53.  You are allowing the query out but
denying the response.

> Below is the logs taken from DNS server on one of the destination IP 
> address.
> ##########################################################################
> ##
> 
> 
> client 67.215.80.15#58230: view localhost_resolver: query (cache) 
> '109.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.215.80.15#18395: view localhost_resolver: query (cache) 
> '86.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.215.80.15#34068: view localhost_resolver: query (cache) 
> '114.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#20915: view localhost_resolver: query (cache) 
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#64724: view localhost_resolver: query (cache) 
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#16374: view localhost_resolver: query (cache) 
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#30391: view localhost_resolver: query (cache) 
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#17745: view localhost_resolver: query (cache) 
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#36163: view localhost_resolver: query (cache) 
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#6391: view localhost_resolver: query (cache) 
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#37586: view localhost_resolver: query (cache) 
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#55208: view localhost_resolver: query (cache) 
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#40076: view localhost_resolver: query (cache) 
> '232.12.217.in-addr.arpa/NS/IN' denied
> 
> Below is the firewall logs:
> #########################
> action=Deny sent=0 rcvd=112 src=our_company_DNS_server_ip 
> dst=67.215.80.15 src_port=53 dst_port=16529
> action=Permit sent=0 rcvd=0 src=67.215.80.15 
> dst=our_company_DNS_server_ip src_port=52370 dst_port=53 
> 
> 
> Regards
> Babu
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130325/ab9384a4/attachment.html>


More information about the bind-users mailing list