<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFCC">
<p>Hi</p>
<p>Don't forget that any traffic may be spam, also the reject
messages if they are directed towards the victim.</p>
<p>I think this is how it works here:</p>
<p>a large number of hosts send requests to your server for some
domain. All these requests have a fake sender: IP 212.76.76.18,
this means that all those reject messages come to that IP even he
never asked one question himself.</p>
<p>What you should do for the poor guy is to stop any reply going to
that address, probably easier to do in a firewall with a temporary
rule.<br>
</p>
<br>
<div class="moz-cite-prefix">On 18/12/2017 14:54, Mohammed Ejaz
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:07bc01d37807$c7bfdb20$573f9160$@cyberia.net.sa">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Thank you for the detail explanation
really appreciated . <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> We have asked by our National cyber
Security Center to investigate on this, as they have
detected massive malicious requests from our DNS servers which
are ( 212.119.64.2 and 212.119.64.3). <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Malicious domain is <b><u>mumbai-m.site</u></b>
which linked to dns-bot campaign, this campaign uses DNS
tunneling for exchanging messages transferring files,
executing commands through dns protocol <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><b><u>Malicious IPS are <o:p></o:p></u></b></p>
<p class="MsoPlainText">1.2.3.4 <o:p></o:p></p>
<p class="MsoPlainText">11.24.237.110<o:p></o:p></p>
<p class="MsoPlainText">46.105.221.247<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">but when i checked my name server logs
request comes from single IP 212.76.76.18 asked for this
domain and my server gets refused their request since this
IP doesn't belongs to us as I have ACLs in placed in
named.conf. <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Now I am bit confused since the query
gets rejected, how come our national cyber security center
can claim that there were malicious massive traffic from our
DNS server to the internet world. <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Any explanations would be highly
appreciated. Thanks in advance. <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Ejaz <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: bind-users [<a class="moz-txt-link-freetext" href="mailto:bind-users-bounces@lists.isc.org">mailto:bind-users-bounces@lists.isc.org</a>] On
Behalf Of Mark Elkins<br>
Sent: Monday, December 18, 2017 1:58 PM<br>
To: <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
Subject: Re: DNS-Format-Eroor</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">$ dig mumbai-m.site ns<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">; <<>> DiG 9.11.1-P3
<<>> mumbai-m.site ns ;; flags: qr rd ra; QUERY:
1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">;; QUESTION SECTION:<o:p></o:p></p>
<p class="MsoPlainText">;mumbai-m.site. IN NS<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">;; ANSWER SECTION:<o:p></o:p></p>
<p class="MsoPlainText">MUMBAI-M.site. 3380 IN
NS win-1ikkrphg9jj.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I seemed to have cached only one
nameserver - which does not make operational sense - neither
does the name I've cached.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">$ dig mumbai-m.site aaaa<o:p></o:p></p>
<p class="MsoPlainText">;; flags: qr rd ra; QUERY: 1, ANSWER: 0,
AUTHORITY: 1, ADDITIONAL: 1<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">;; QUESTION SECTION:<o:p></o:p></p>
<p class="MsoPlainText">;mumbai-m.site. IN AAAA<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">;; AUTHORITY SECTION:<o:p></o:p></p>
<p class="MsoPlainText">MUMBAI-M.SITE. 3473 IN
SOA win-1ikkrphg9jj. hostmaster.<o:p></o:p></p>
<p class="MsoPlainText">4 900 600 86400 3600<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">The Zone looks like its not set up
properly.. the admin has added dots where they should not
have...<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">The "win" and Serial No. of "4" suggests
to me that this is a windows machine, and as both nameservers
are on the same IP, the adminstrator is in need of some DNS
training..<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">As for your errors, I'd guess you may
run IPv6 but this person doesn't appear to as asking for the
Quad-A record returns the SOA (you got to the right place but
there is no answer to your question)<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">In summary - the administrator of
MUMBAI-M.SITE has a broken zone configuration.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Doing a "whois MUMBAI-M.SITE", seems
they are hiding behind "whoisguard.com" to remain anonymous -
which suggests they have something to hide. I don't get the
vibe that this domain is owned by a child or someone who needs
protection from the evilness of the Internet...<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On 18/12/2017 11:26, Reindl Harald
wrote:<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Am 18.12.2017 um 10:16 schrieb
Mohammed Ejaz:<o:p></o:p></p>
<p class="MsoPlainText">>> Hello,<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> I have several entries as below
in my name server logs. Would any <o:p></o:p></p>
<p class="MsoPlainText">>> one please assist me to knowing
the exact reason of this,<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Also this IP 46.105.221.247 not
in my trusted list.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> no, but it's the auth-nameserver of
that domain operatd by another <o:p></o:p></p>
<p class="MsoPlainText">> fool which thinks the requirement
for 2 nameservers is just for fun<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> i guess you have a inbound
mailserver using your nameserver which logs <o:p></o:p></p>
<p class="MsoPlainText">> the warning...<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">>
[harry@srv-rhsoft:/mnt/data/downloads]$ nslookup MUMBAI-M.SITE<o:p></o:p></p>
<p class="MsoPlainText">> Server: 127.0.0.1<o:p></o:p></p>
<p class="MsoPlainText">> Address: 127.0.0.1#53<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Non-authoritative answer:<o:p></o:p></p>
<p class="MsoPlainText">> Name: MUMBAI-M.SITE<o:p></o:p></p>
<p class="MsoPlainText">> Address: 46.105.221.247<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">>
[harry@srv-rhsoft:/mnt/data/downloads]$ nslookup
NS1.MUMBAI-M.SITE<o:p></o:p></p>
<p class="MsoPlainText">> Server: 127.0.0.1<o:p></o:p></p>
<p class="MsoPlainText">> Address: 127.0.0.1#53<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Non-authoritative answer:<o:p></o:p></p>
<p class="MsoPlainText">> Name: NS1.MUMBAI-M.site<o:p></o:p></p>
<p class="MsoPlainText">> Address: 46.105.221.247<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">>
[harry@srv-rhsoft:/mnt/data/downloads]$ nslookup
NS2.MUMBAI-M.SITE<o:p></o:p></p>
<p class="MsoPlainText">> Server: 127.0.0.1<o:p></o:p></p>
<p class="MsoPlainText">> Address: 127.0.0.1#53<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Non-authoritative answer:<o:p></o:p></p>
<p class="MsoPlainText">> Name: NS2.MUMBAI-M.SITE<o:p></o:p></p>
<p class="MsoPlainText">> Address: 46.105.221.247<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">>> Dec 17 05:35:39 ns20
named[1530]: DNS format error from<o:p></o:p></p>
<p class="MsoPlainText">>> 46.105.221.247#53 resolv ing
ns1.mumbai-m.site/AAAA: reply has no <o:p></o:p></p>
<p class="MsoPlainText">>> answer<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Dec 17 05:35:40 ns20
named[1530]: DNS format error from<o:p></o:p></p>
<p class="MsoPlainText">>> 46.105.221.247#53 resolv<o:p></o:p></p>
<p class="MsoPlainText">>>
ing
ns2.mumbai-m.site/AAAA:<o:p></o:p></p>
<p class="MsoPlainText">>> reply has no answer<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Dec 17 09:43:46 ns20
named[1530]: DNS format error from<o:p></o:p></p>
<p class="MsoPlainText">>> 46.105.221.247#53 resolv ing
ns1.mumbai-m.site/AAAA: reply has no <o:p></o:p></p>
<p class="MsoPlainText">>> answer<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Dec 17 09:43:46 ns20
named[1530]: DNS format error from<o:p></o:p></p>
<p class="MsoPlainText">>> 46.105.221.247#53 resolv ing
ns2.mumbai-m.site/AAAA: reply has no <o:p></o:p></p>
<p class="MsoPlainText">>> answer<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Dec 17 09:47:41 ns20
named[1530]: DNS format error from<o:p></o:p></p>
<p class="MsoPlainText">>> 46.105.221.247#53 resolv ing
ns1.mumbai-m.site/AAAA: reply has no <o:p></o:p></p>
<p class="MsoPlainText">>> answer<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Dec 17 09:47:41 ns20
named[1530]: DNS format error from<o:p></o:p></p>
<p class="MsoPlainText">>> 46.105.221.247#53 resolv ing
ns2.mumbai-m.site/AAAA: reply has no <o:p></o:p></p>
<p class="MsoPlainText">>> answer<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Dec 17 09:48:41 ns20
named[1530]: DNS format error from<o:p></o:p></p>
<p class="MsoPlainText">>> 46.105.221.247#53 resolv ing
ns2.mumbai-m.site/AAAA: reply has no <o:p></o:p></p>
<p class="MsoPlainText">>> answer<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Dec 17 09:48:41 ns20
named[1530]: DNS format error from<o:p></o:p></p>
<p class="MsoPlainText">>> 46.105.221.247#53 resolv ing
ns1.mumbai-m.site/AAAA: reply has no <o:p></o:p></p>
<p class="MsoPlainText">>> answer<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Dec 17 09:52:39 ns20
named[1530]: DNS format error from<o:p></o:p></p>
<p class="MsoPlainText">>> 46.105.221.247#53 resolv ing
ns2.mumbai-m.site/AAAA: reply has no <o:p></o:p></p>
<p class="MsoPlainText">>> answer<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Dec 17 09:52:39 ns20
named[1530]: DNS format error from<o:p></o:p></p>
<p class="MsoPlainText">>> 46.105.221.247#53 resolv ing
ns1.mumbai-m.site/AAAA: reply has no <o:p></o:p></p>
<p class="MsoPlainText">>> answer<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Dec 17 09:55:52 ns20
named[1530]: DNS format error from<o:p></o:p></p>
<p class="MsoPlainText">>> 46.105.221.247#53 resolv ing
ns1.mumbai-m.site/AAAA: reply has no <o:p></o:p></p>
<p class="MsoPlainText">>> answer<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Dec 17 09:55:52 ns20
named[1530]: DNS format error from<o:p></o:p></p>
<p class="MsoPlainText">>> 46.105.221.247#53 resolv ing
ns2.mumbai-m.site/AAAA: reply has no <o:p></o:p></p>
<p class="MsoPlainText">>> answer<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Dec 17 09:58:41 ns20
named[1530]: DNS format error from<o:p></o:p></p>
<p class="MsoPlainText">>> 46.105.221.247#53 resolv ing
ns2.mumbai-m.site/AAAA: reply has no <o:p></o:p></p>
<p class="MsoPlainText">>> answer<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Dec 17 09:58:41 ns20
named[1530]: DNS format error from<o:p></o:p></p>
<p class="MsoPlainText">>> 46.105.221.247#53 resolv ing
ns1.mumbai-m.site/AAAA: reply has no <o:p></o:p></p>
<p class="MsoPlainText">>> answer<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Thanks,<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Mohammed Ejaz<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Asst. Operation Director of
Systems.<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Cyberia SAUDI ARABIA<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> P.O.Box: 301079, Riyadh 11372<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Phone: (+966) 11 464 7114 Ext.
140<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Mobile: (+966) 562311787<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Fax: (+966) 11 465 4735<o:p></o:p></p>
<p class="MsoPlainText">>><o:p> </o:p></p>
<p class="MsoPlainText">>> Website: <a
href="http://www.cyberia.net.sa" moz-do-not-send="true"><span
style="color:windowtext;text-decoration:none">http://www.cyberia.net.sa</span></a><o:p></o:p></p>
<p class="MsoPlainText">>
_______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">> Please visit <a
href="https://lists.isc.org/mailman/listinfo/bind-users"
moz-do-not-send="true"><span
style="color:windowtext;text-decoration:none">https://lists.isc.org/mailman/listinfo/bind-users</span></a>
to <o:p></o:p></p>
<p class="MsoPlainText">> unsubscribe from this list<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> bind-users mailing list<o:p></o:p></p>
<p class="MsoPlainText">> <a
href="mailto:bind-users@lists.isc.org"
moz-do-not-send="true"><span
style="color:windowtext;text-decoration:none">bind-users@lists.isc.org</span></a><o:p></o:p></p>
<p class="MsoPlainText">> <a
href="https://lists.isc.org/mailman/listinfo/bind-users"
moz-do-not-send="true"><span
style="color:windowtext;text-decoration:none">https://lists.isc.org/mailman/listinfo/bind-users</span></a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">--<o:p></o:p></p>
<p class="MsoPlainText">Mark James ELKINS - Posix Systems -
(South) Africa<o:p></o:p></p>
<p class="MsoPlainText"><a href="mailto:mje@posix.co.za"
moz-do-not-send="true"><span
style="color:windowtext;text-decoration:none">mje@posix.co.za</span></a>
Tel: +27.128070590 Cell: +27.826010496<o:p></o:p></p>
<p class="MsoPlainText">For fast, reliable, low cost Internet in
ZA: <a href="https://ftth.posix.co.za" moz-do-not-send="true"><span
style="color:windowtext;text-decoration:none">https://ftth.posix.co.za</span></a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">_______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">Please visit <a
href="https://lists.isc.org/mailman/listinfo/bind-users"
moz-do-not-send="true"><span
style="color:windowtext;text-decoration:none">https://lists.isc.org/mailman/listinfo/bind-users</span></a>
to unsubscribe from this list<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">bind-users mailing list<o:p></o:p></p>
<p class="MsoPlainText"><a
href="mailto:bind-users@lists.isc.org"
moz-do-not-send="true"><span
style="color:windowtext;text-decoration:none">bind-users@lists.isc.org</span></a><o:p></o:p></p>
<p class="MsoPlainText"><a
href="https://lists.isc.org/mailman/listinfo/bind-users"
moz-do-not-send="true"><span
style="color:windowtext;text-decoration:none">https://lists.isc.org/mailman/listinfo/bind-users</span></a><o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
</pre>
</body>
</html>