Ejaz mejaz at cyberia.net.sa
Wed Jul 27 13:44:52 UTC 2016

Really I appreciate sparing such long time to trace out the problem and sending such detail email.

 Is there any other security measure from the DNS level to control such attacks.  Instead of blocking IP which is either from my linux machine or from my network side.

Such  as, if someone is sending  ANY request , by default it should be denied when users requests  for it..  


-----Original Message-----
From: S Carr [mailto:sjcarr at gmail.com] 
Sent: Wednesday, July 27, 2016 4:19 PM
To: Ejaz <mejaz at cyberia.net.sa>
Cc: bind-users <bind-users at lists.isc.org>
Subject: Re: outgoing-traffic

On 27 July 2016 at 13:33, Ejaz <mejaz at cyberia.net.sa> wrote:
> Thank you so much Abdul for you instant support.
> As requested, Find the attached.

So the 3 IPs ( are continuously sending ANY requests for cpsc.gov

No responses I can see are going from port 0, they are coming in on 53 and BIND is responding on a random high port

The subnet appears to be mapped to your company's DNS for reverse lookups and .99 shows that it is supposedly the system mail.electro.com.sa (though the forward lookup does not map to the same as the reverse).

It also looks like you are providing a recursive DNS service for these IP addresses, in frame 118047 you respond to the client with an NXDOMAIN response as the query they asked has a random "\r" on it. Are you meant to be providing recursive DNS for these clients? The random "\r" looks to me like something has been scripted (albeit poorly) to run against your systems.

As this is probably one of your customers have you tried contacting them to find out why their systems are sending all of these requests?
It could be simple misconfiguration or they could have been affected by some malware that's generating DNS noise/attacks.

You could look at putting iptables on your Linux box to provide another layer of filtering and block the requests locally, or ask your network team to block those IPs, then wait for the customer to shout.

More information about the bind-users mailing list