Suspecious DNS traffic
Mark Andrews
marka at isc.org
Sun Mar 24 21:33:12 UTC 2013
In message <1364140396.42023.YahooMailNeo at web190806.mail.sg3.yahoo.com>, babu d
heen writes:
>
> Dear,
>
> We have Caching DNS server and certain PTR record(reverse entry
> verification purpose) only is allowed from internet. But I am observing
> suspicious DNS traffic from my BIND caching DNS server towards
> 67.215.80.15,67.215.80.13,207.192.69.4,67.227.239.85 IP address on
> destination port 1033,1090,1743, etc. Since we haven't allowed non
> standard port from our DNS server to public DNS server, its dropped in
> firewall.
>
> Any idea as to why our company DNS server is contacting external IP on
> non standard port?
It's contacting it on port 53. You are allowing the query out but
denying the response.
> Below is the logs taken from DNS server on one of the destination IP
> address.
> ##########################################################################
> ##
>
>
> client 67.215.80.15#58230: view localhost_resolver: query (cache)
> '109.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.215.80.15#18395: view localhost_resolver: query (cache)
> '86.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.215.80.15#34068: view localhost_resolver: query (cache)
> '114.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#20915: view localhost_resolver: query (cache)
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#64724: view localhost_resolver: query (cache)
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#16374: view localhost_resolver: query (cache)
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#30391: view localhost_resolver: query (cache)
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#17745: view localhost_resolver: query (cache)
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#36163: view localhost_resolver: query (cache)
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#6391: view localhost_resolver: query (cache)
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#37586: view localhost_resolver: query (cache)
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#55208: view localhost_resolver: query (cache)
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#40076: view localhost_resolver: query (cache)
> '232.12.217.in-addr.arpa/NS/IN' denied
>
> Below is the firewall logs:
> #########################
> action=Deny sent=0 rcvd=112 src=our_company_DNS_server_ip
> dst=67.215.80.15 src_port=53 dst_port=16529
> action=Permit sent=0 rcvd=0 src=67.215.80.15
> dst=our_company_DNS_server_ip src_port=52370 dst_port=53
>
>
> Regards
> Babu
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list