Fishy behaviour?

Mark E. Drummond mark.drummond at rmc.ca
Mon Jul 31 16:06:40 UTC 2000 

"Mathias Körber" wrote:
> 
> b) If it's always the same sources that query your nameservers, it is likely
> that someone has configured your nameservers as forwarders for their
> nameservers (or pointed their resolvers at your nameservers). As you don't allow

They are all legit domains, icq.com, hotmail.com ... there are actually
two "patterns" here. One is a few odds and sods doing occasional, single
queries against the box, the other is various addresses with the 149.99
netblock doing 20-40 queries for many differant sites in a matter of
seconds. That netblock is:

[mark at signals:~]$ whois 149.99.20 at whois.arin.net                  
[whois.arin.net]
Fonorola (NET-FONOROLA-1)
   2550 Victoria Park Ave, Suite 200
   Toronto, ON M2J 5E6
   CA

   Netname: FONOROLA-1
   Netnumber: 149.99.0.0

   Coordinator:
      CallNet Enterprises Inc.  (ZC37-ARIN)  admin at sprint.ca
      416-496-1644-4949

   Domain System inverse mapping provided by:

   NS.INSINC.NET                204.50.250.1
   NS2.INSINC.NET               204.50.249.1

   Record last updated on 23-Feb-2000.
   Database last updated on 31-Jul-2000 06:17:46 EDT.

In tha case of the occasional queries I can certainly see even my own
staff & students situated elsewhere setting this machine as their DNS
server. It is the queries from that block that caught my attention:


Jul 29 15:23:42 sol2.rmc.ca named[9589]: unapproved query from
[149.99.116.36].1208 for
"www.hotmail.com"
Jul 29 15:26:10 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1214 for
"web.icq.com"
Jul 29 15:26:14 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1216 for
"lc5.law5.hotmail.passport.com"
Jul 29 15:26:32 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1237 for
"login.icq.com"
Jul 29 15:26:42 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1242 for
"lw8fd.law8.hotmail.msn.com"
Jul 29 15:26:51 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1250 for
"arc5.msn.com"
Jul 29 15:26:52 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1255 for
"cm.linkexchange.com"
Jul 29 15:26:52 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1259 for
"ads.msn.com"
Jul 29 15:26:55 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1263 for
"lc6.law5.hotmail.passport.com"
Jul 29 15:26:58 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1269 for
"www.hotmail.msn.com"
Jul 29 15:27:01 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1273 for "msn.ca"
Jul 29 15:27:01 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1276 for
"ca.msn.com"
Jul 29 15:27:33 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1279 for
"www.cnnsi.com"
Jul 29 15:27:34 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1282 for
"sportsillustrated.cnn.com"
Jul 29 15:27:35 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1285 for
"a1208.g.akamai.net"
Jul 29 15:27:36 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1290 for
"images.cnnsi.com"
Jul 29 15:28:39 sol2.rmc.ca named[9589]: unapproved query from
[149.99.20.83].1300 for
"www.cnnaudience.com"

And whoever it is, they are always looking for the general type of
systems, from hotmail, msn, icq and others. It's repetitive. I'll email
the owner of the netblock.

-- 
Mark Drummond|ICQ#19153754|mailto:mark.drummond at rmc.ca
UNIX System Administrator|Royal Military College of Canada
The Kingston Linux Users Group|http://signals.rmc.ca/klug/
Saving the World ... One CPU at a Time

Please excuse me if I am terse. I answer dozens of emails every day.

More information about the bind-users mailing list