Compromised BIND?
Kevin Darcy
kcd at chrysler.com
Tue May 31 19:22:38 UTC 2011
On 5/31/2011 2:38 PM, Supersonic wrote:
> I have a BIND 9.8.0-P2 server instance running on a production server.
Doing what, exactly? Resolving internal names only? Resolving Internet
names? Acting as an authoritative server for internal clients? Internet
clients? Some combination of the above?
> My firewall is showing repeated attempts by named.exe to connect to IP
> addresses in foreign countries on ports 6666, 6667 and 6669 - common
> IRC ports used by worms/trojans/zombies. Checking my named.exe file,
> it shows that it is unchanged from the installation source. Is this
> connection normal? Should I be allowing it?
>
TCP connections or UDP packets?
If you're serving authoritative data to Internet clients, then my guess
is your firewall simply isn't "stateful" enough to realize that these
are responses to DNS queries that originally came in from Internet
clients using those port numbers. Just because they are "common IRC
ports used by worms/trojans/zombies" doesn't preclude them from also
being chosen at random as the source ports of incoming queries to your
nameserver. Responses go back to the same port from which the query was
received.
If they're outgoing TCP connections, I'd be worried. Offhand, I can't
think of any legitimate reason why named would be trying to TCP-connect
to any port other than 53.
- Kevin
More information about the bind-users
mailing list