strange queries in my DNS
Victor Hugo dos Santos
listas.vhs at gmail.com
Thu Apr 21 18:54:36 UTC 2011
Hello masters.
the last week I had a strange queries logged in my DNS. In this
momment I only block the IP (77.204.11.139) source and forguet of this
theme.
but, today.. I have the same query registered in my logs and from
other source (208.100.46.116).
==================
21-Apr-2011 15:20:16.081 queries: info: client 208.100.46.116#1552:
view externo: query: . ANY RESERVED0 +
21-Apr-2011 15:20:16.143 queries: info: client 208.100.46.116#6674:
view externo: query: . ANY RESERVED0 +
21-Apr-2011 15:20:16.205 queries: info: client 208.100.46.116#21602:
view externo: query: . ANY RESERVED0 +
21-Apr-2011 15:20:16.269 queries: info: client 208.100.46.116#55331:
view externo: query: . ANY RESERVED0 +
==================
now, I have the new IP blocked, but if I unblock it.. the server show
a 20/30 queries by second from this IP !!!
The configuration have 2 views, the recursion is disabled for outside
and the version of bind is bind-9.3.6-16.P1.el5
the tcpdump content is:
==============================
victor at vhs-desk:~/scripts$ cat /tmp/dns2
No. Time Source Destination Protocol Info
63 3.897624 208.100.46.116 10.0.0.10 DNS
Standard query Unused <Root>
Frame 63 (63 bytes on wire, 63 bytes captured)
Arrival Time: Apr 21, 2011 15:16:27.805270000
[Time delta from previous captured frame: 0.062700000 seconds]
[Time delta from previous displayed frame: 0.062700000 seconds]
[Time since reference or first frame: 3.897624000 seconds]
Frame Number: 63
Frame Length: 63 bytes
Capture Length: 63 bytes
[Frame is marked: False]
[Protocols in frame: sll:ip:udp:dns]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 1
Link-layer address length: 6
Source: HewlettP_4d:a7:2e (00:18:71:4d:a7:2e)
Protocol: IP (0x0800)
Internet Protocol, Src: 208.100.46.116 (208.100.46.116), Dst:
10.0.0.10 (10.0.0.10)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 47
Identification: 0x4081 (16513)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 244
Protocol: UDP (0x11)
Header checksum: 0x7d5a [correct]
[Good: True]
[Bad : False]
Source: 208.100.46.116 (208.100.46.116)
Destination: 10.0.0.10 (10.0.0.10)
User Datagram Protocol, Src Port: 34062 (34062), Dst Port: domain (53)
Source port: 34062 (34062)
Destination port: domain (53)
Length: 27
Checksum: 0x0000 (none)
Domain Name System (query)
Transaction ID: 0x800e
Flags: 0x0100 (Standard query)
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data OK:
Non-authenticated data is unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
<Root>: type Unused, class ANY
Name: <Root>
Type: Unused (unused)
Class: ANY (0x00ff)
===================
so.. any idea ??
thanks
--
--
Victor Hugo dos Santos
Linux Counter #224399
More information about the bind-users
mailing list