Script-kiddie / client <IP> query (cache) '<host>/MX/IN' denied

Lyle Giese lyle at lcrcomputer.net
Tue Aug 3 16:17:20 UTC 2010 

Denis BUCHER wrote:
> Dear all,
>
> I have a question, it's not really a big problem, but it's annoying.
>
> In the logs I get plenty of lines like :
>> client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 
>> Time(s)
>> client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 
>> Time(s)
>> client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' 
>> denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 
>> 2 Time(s)
>> client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' 
>> denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 
>> Time(s)
>> client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 
>> Time(s)
>> client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 
>> Time(s)
>> client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 
>> Time(s)
>> client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 
>> Time(s)
>> client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 
>> Time(s)
>> client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 
>> Time(s)
>> client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s)
>
> This seems to be due to a script-kiddie.
>
> I would like to know if I can block hosts doing that at the level of 
> /etc/hosts.allow or should I do it at the level of Bind itself ?
>
> Currently it is working for sshd on this server to add lines in 
> /etc/hosts.allow, but I would like to know if it would be possible for 
> bind :
> sshd: 121.14.195.176: DENY
>
> # uname -a
> Linux (host) 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT 
> 2009 i686 i686 i386 GNU/Linux
> # cat /etc/redhat-release
> Fedora release 9 (Sulphur)
>
> Thanks a lot in advance for any help...
>
> And sorry if this is not 100% on topic, I know it's at the border 
> between BIND and OS...
>
> Denis
> _______________

Use IPTables or add rules to your firewall.  I don't believe that BIND 
pays any attention to /etc/hosts.allow

Lyle Giese
LCR Computer Services, Inc.

More information about the bind-users mailing list