Preventing a particular type of nameserver abuse
Carl Byington
carl at byington.org
Wed Apr 14 17:47:40 UTC 2021
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Wed, 2021-04-14 at 12:58 -0400, Paul Kosinski via bind-users wrote:
> Interesting, although we host different domains, in and from different
> geographic areas, we got the same queries as yours on the same day,
> with some at about the same time (we're EDT).
> 13-Apr-2021 02:19:58.468 security: info: client 76.20.145.58#3074
> (sl): query (cache) 'sl/ANY/IN' denied
> 13-Apr-2021 02:19:58.638 security: info: client 76.20.145.58#3074
> (sl): query (cache) 'sl/ANY/IN' denied
These times are PDT (-0700)
Apr 12 23:18:13 ns named[5091]: client @0x7fda540105b8 76.20.145.58#3074
(sl): view normal: query (cache) 'sl/ANY/IN' denied
Apr 12 23:18:13 ns named[5091]: client @0x7fda540105b8 76.20.145.58#3074
(sl): view normal: query (cache) 'sl/ANY/IN' denied
....
Apr 12 23:19:15 ns named[5091]: client @0x7fda540105b8 76.20.145.58#3074
(sl): view normal: query (cache) 'sl/ANY/IN' denied
So either 76.20.145.58, or someone forging that source ip, made queries
to servers in (+0000), (-0400), and (-0700) at the same time. Malware
running on 76.20.145.58 is one explanation. Would the REFUSED replies
carry enough information from the original query to be used as a covert
communication channel into something listening on 76.20.145.58?
vpn over dns query-refused replies? That seems a bit far-fetched.
-----BEGIN PGP SIGNATURE-----
iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYHcqsRUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsEvgACgh6muAlNI6qk99Rd9sLaSp29IESQA
njJo7E3ajD0Yw/ja7VOStNhgkxDd
=tlQQ
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list