DNS BIND traffic capture ICMP/UDP

Warren Kumari warren at kumari.net
Fri Jan 15 16:32:14 UTC 2016 

On Fri, Jan 15, 2016 at 8:49 AM Daniel Dawalibi <daniel.dawalibi at idm.net.lb>
wrote:

> Hello
>
>
>
> We observed an unusual traffic combining ICMP and UDP packets while
> running the tcpdump command on the DNS caching server
>
> Kindly note that only UDP DNS traffic is allowed on this server (ICMP is
> not allowed from outside to DNS server)
>
> Any help regarding this issue? Why we are getting ICMP and UDP requests?
> Could it be an attack?
>
>
>
>
>
> *Logs:*
>
>
>
> # tcpdump –n icmp
>
>
>
> 15:41:05.054237 IP 10.151.130.74 > DNSIP: ICMP 10.151.130.74 udp port
> 52003 unreachable, length 52
>
> 15:41:05.064449 IP 10.75.6.36 > DNSIP: ICMP 10.75.6.36 udp port 50162
> unreachable, length 52
>
> 15:41:05.067953 IP 10.33.10.155 > DNSIP: ICMP 10.33.10.155 udp port 50233
> unreachable, length 52
>
> 15:41:05.067958 IP 10.75.15.162 > DNSIP: ICMP 10.75.15.162 udp port 53847
> unreachable, length 52
>
> 15:41:05.072727 IP 10.33.12.219 > DNSIP: ICMP 10.33.12.219 udp port 51024
> unreachable, length 52
>
> ….
>
> Example: 10.151.130.74 (client source IP)
>
> DNSIP: DNSServer IP
>
>
>

Your description is either incomplete, or incorrect (or at least sine set
of things is misconfigured) -- without additional information it will be
difficult / impossible to assist.

1: You state that you observe traffic while running tcpdump **on the
caching server**.
2: You state that "ICMP is not allowed from outside **to** DNS server"
(emphasis mine) - this implies that ICMP is supposed to be filtered before
reaching the server, not e.g iptables *on the server*.
3: The tcpdump output shows traffic from client IPs (presumably "outside")
to the DNS server.

I do not see how all of the above can simultaneously be true
A: What are the actual IPs involved?
B: What are you counting as "outside" (are the client IPs "inside" or
"outside"?)?.
C: Where are you filtering the ICMP, and, more importantly, why are you
filtering ICMP (it is needed to make IP work properly...)
D: How busy is the server / what percentage of ICMP responses to DNS
queries?
E: What is the connectivity of the server? It is likely that resolutions
are taking significant time, and the clients have a: given up or b: already
gotten the replies from another recursive?


This could be an attack (e.g spoofed packets as part of a cache poisoning
attempt).... or it could be perfectly normal operation -- eliding the IP
addresses and not providing more information makes it imposs^W hard to
tell....

W


> Regards
>
> Daniel
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160115/ca8135f0/attachment-0001.html>

More information about the bind-users mailing list