Botnet Queries to MXes against cache

Gushi google at gushi.org
Mon Sep 8 17:23:59 UTC 2008 

This isn't a request for help so much as a story for anyone else who's
seeing similar things:

Okay,

I have logwatch set up on my cobalt raq3.

Logwatch is cool. It emails you everything in the logfiles, you define
great regular expressions as to what's harmless noise, and keep going
till it's only the critical stuff that you get.

I just got a mail FULL of the following:

client 123.17.150.226 query (cache) 'mail.peregrinehw.com/A/IN'
denied: 1 Time(s)
client 123.18.118.42 query (cache) 'ALT1.ASPMX.L.GOOGLE.com/A/IN'
denied: 1 Time(s)
client 123.18.118.42 query (cache) 'ALT2.ASPMX.L.GOOGLE.com/A/IN'
denied: 1 Time(s)
client 123.18.118.42 query (cache) 'ASPMX.L.GOOGLE.com/A/IN' denied: 1
Time(s)
client 123.18.118.42 query (cache) 'ASPMX2.GOOGLEMAIL.com/A/IN'
denied: 1 Time(s)
client 123.18.118.42 query (cache) 'ASPMX3.GOOGLEMAIL.com/A/IN'
denied: 1 Time(s)
client 123.18.118.42 query (cache) 'ASPMX4.GOOGLEMAIL.com/A/IN'
denied: 1 Time(s)
client 123.18.118.42 query (cache) 'ASPMX5.GOOGLEMAIL.com/A/IN'
denied: 1 Time(s)
client 123.19.213.68 query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN'
denied: 1 Time(s)
client 123.19.213.68 query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN'
denied: 1 Time(s)
client 123.19.213.68 query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied: 1
Time(s)
client 123.19.213.68 query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN'
denied: 1 Time(s)
client 123.19.213.68 query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN'
denied: 1 Time(s)
client 123.19.213.68 query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN'
denied: 1 Time(s)
client 123.19.213.68 query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN'
denied: 1 Time(s)
client 123.19.59.189 query (cache) 'mail.peregrinehw.com/A/IN' denied:
1 Time(s)
client 123.19.99.134 query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN'
denied: 1 Time(s)
client 123.19.99.134 query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN'
denied: 1 Time(s)
client 123.19.99.134 query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied: 1
Time(s)
client 123.19.99.134 query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN'
denied: 1 Time(s)
client 123.19.99.134 query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN'
denied: 1 Time(s)
client 123.19.99.134 query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN'
denied: 1 Time(s)
client 123.19.99.134 query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN'
denied: 1 Time(s)

So after I dig around for a bit (no pun intended), I realize.

What I'm looking at is a whole bunch of terribly broken DNS
implementations. DNS implementations that bypass a host's DNS entry,
and directly query ME instead of looking something up directly.

All the domains above are A records (address records) that are pointed
to by MX (mail exchanger) records. I host sites that use those MXes,
but I don't host (obviously) googlemail.com.

Okay, so I know why this is happening. It's mostly harmless.

My options:

1) Tune logwatch so I don't get these.

2) Tune BIND so it doesn't log these hits.

3) Use this information to feed a real-time blacklist -- it's fairly
easy to write the parser but from the looks of it, most of these IPs
are already on RBL's I use (spamhaus PBL, CBL).

4) Find a way (as recursive as this sounds) to block queries to my DNS
server, based on this blacklist. I don't think BIND supports such a
feature.

Any comments?

-Dan

More information about the bind-users mailing list