S Carr sjcarr at gmail.com
Wed Jul 27 13:19:10 UTC 2016

On 27 July 2016 at 13:33, Ejaz <mejaz at cyberia.net.sa> wrote:
> Thank you so much Abdul for you instant support.
> As requested, Find the attached.

So the 3 IPs ( are continuously sending ANY
requests for cpsc.gov

No responses I can see are going from port 0, they are coming in on 53
and BIND is responding on a random high port

The subnet appears to be mapped to your company's DNS
for reverse lookups and .99 shows that it is supposedly the system
mail.electro.com.sa (though the forward lookup does not map to the
same as the reverse).

It also looks like you are providing a recursive DNS service for these
IP addresses, in frame 118047 you respond to the client with an
NXDOMAIN response as the query they asked has a random "\r" on it. Are
you meant to be providing recursive DNS for these clients? The random
"\r" looks to me like something has been scripted (albeit poorly) to
run against your systems.

As this is probably one of your customers have you tried contacting
them to find out why their systems are sending all of these requests?
It could be simple misconfiguration or they could have been affected
by some malware that's generating DNS noise/attacks.

You could look at putting iptables on your Linux box to provide
another layer of filtering and block the requests locally, or ask your
network team to block those IPs, then wait for the customer to shout.

More information about the bind-users mailing list