<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;"><DIV>Dear Fajar,</DIV>
<DIV> </DIV>
<DIV> Below logs taken from Internal DNS server running in Microsoft DNS. I checked with client AV status, everything is fine( system is up to date with DAT from Mcafee AV and no threat found in the complete scan output).</DIV>
<DIV> </DIV>
<DIV>But really no idea.. why it happens.. Client is pointed to use different DNS server but DNS flood query is being sent to another DNS server</DIV>
<DIV> </DIV>
<DIV>Regards</DIV>
<DIV>Babu<BR><BR>--- On <B>Wed, 11/1/12, Fajar A. Nugraha <I><work@fajar.net></I></B> wrote:<BR></DIV>
<BLOCKQUOTE style="BORDER-LEFT: rgb(16,16,255) 2px solid; PADDING-LEFT: 5px; MARGIN-LEFT: 5px"><BR>From: Fajar A. Nugraha <work@fajar.net><BR>Subject: Re: huge count of DNS deny hits<BR>To: "babu dheen" <babudheen@yahoo.co.in><BR>Cc: bind-users@lists.isc.org<BR>Date: Wednesday, 11 January, 2012, 10:55 AM<BR><BR>
<DIV class=plainMail>On Wed, Jan 11, 2012 at 12:11 PM, babu dheen <<A href="http://in.mc1373.mail.yahoo.com/mc/compose?to=babudheen@yahoo.co.in" ymailto="mailto:babudheen@yahoo.co.in">babudheen@yahoo.co.in</A>> wrote:<BR>><BR>> Hi,<BR>><BR>> I enabled the logs in DNS server and i found below lines from this client continiously..<BR>><BR>> 1/10/2012 9:14:30 AM 0FDC PACKET 0000000005B489B0 UDP Snd <Client IP> 1f23 Q [0005 A D NOERROR] TXT (7)version(4)bind(0)<BR>> 1/10/2012 9:14:30 AM 0FDC PACKET 0000000007342360 UDP Rcv <Client IP> c63c Q [0005 A D NOERROR] TXT (7)version(4)bind(0)<BR>> 1/10/2012 9:14:30 AM 0FDC PACKET 0000000007342360 UDP Snd <Client IP> c63c Q [0005 A D NOERROR] TXT
(7)version(4)bind(0)<BR>> 1/10/2012 9:14:30 AM 0FDC PACKET 0000000004D728F0 UDP Rcv <Client IP> a96a Q [0005 A D NOERROR] TXT (7)version(4)bind(0)<BR>><BR><BR>What log is this? AFAIK BIND log does not look like this. Is this firewall log?<BR><BR>> Is it something to do with Malticast DNS.<BR><BR>... and how did you determine that? wild guess?<BR><BR>> Can you give me more details about Multicast DNS<BR><BR>Try google, although I don't think that's your problem.<BR><BR>It might simply be the case that the client is infected with<BR>virus/malware which targets vulnerability in certain versions of bind,<BR>so it'd make sense that it first sends out a DNS query that asks for<BR>bind version number (e.g.<BR><A href="http://www.brandonhutchinson.com/Determining_hiding_BIND_version_number.html"
target=_blank>http://www.brandonhutchinson.com/Determining_hiding_BIND_version_number.html</A>)<BR><BR>Some things you might be able to do:<BR>- setup a firewall rule that can ratelimit udp packets from any client<BR>(e.g. iptables can do this)<BR>- make sure your bind versions is up-to-date (well, it's true for any<BR>other software)<BR>- configure named.conf not to show it's version (use Google or bind<BR>manual to find out how)<BR><BR>With those three steps in place, it shouldn't matter what queries the<BR>client does, as the system will either ignore it, reply with useless<BR>information, or automatically block it. However, if it still cause<BR>problems (e.g. lots of UDP traffic eat up your bandwitdh), then simply<BR>block the client manually.<BR><BR>-- <BR>Fajar<BR></DIV></BLOCKQUOTE></td></tr></table>