Need Help, Unwanted traffic Through My Nameserver,.

[Roy Arends]

On 11 Jun 2001, Richard wrote:

> 
> Hi there Group,
> 
> I hope you can help me with this problem. I am running Redhat 6.2 with
> Bind 8.2.2_p5, permanent modem connection to the internet.  I have a
> primary nameserver on my firewall box which also serves as my dial up
> machine. My secondary NS is provided by my ISP and is set up to allow
> zone transfers etc, this works ok. The problem is that I am constantly
> getting requests, lookups etc through my nameserver that I am not
> requesting. Since I only have 2 masquraded computers using My
> nameserver I know it's not from my network. I have included a small
> amount of data that I picked up from Tcpdump and have included this to
> see if anyone can give me a better idea of whats going on. I am
> getting 50 - 100 packets every 10 minutes or so, they seem to come in
> bursts and then stop then start again. Here is what I'm getting.

You are running and old insecure version of bind (1), and you also don't
provide a config/setup for us to review.

The traffic you show us originates from maicom.lnk.telstra.net.
(139.130.160.45) I'll bet its your firewall. These are queries comming
_from_ your nameserver, and query-response going in. 

Since its a firewall, it probably has 2 interfaces. Monitor the other one
to find out where from your internal net the traffic is comming from.

Next, when your ISP is acting as a secondary, you suggest that you run as
primary. Offcourse you will get request from the internet, trying to
resolve your domain. Why you do that puzzles me, since alternatives are
available (shove your primary outside your net) and you pay for every
mbyte passing through the modem.

Regards

Roy Arends
Nominum

(1) You might have been hacked, this would definitly generate traffic.