huge count of DNS deny hits

[babu dheen]

Dear Sebastian,
 
Thanks for the update. I would like to inform you about another finding on this is that; my IPS report shows "DNS version request" from below said client to my DNS server more than 2000 times
 
Unfortunately, i have not enabled logs in my internal DNS server.
 
Any idea .. 
 
Regards
Babu

--- On Mon, 9/1/12, Sebastian Tymków <sebastian.tymkow at gmail.com> wrote:


From: Sebastian Tymków <sebastian.tymkow at gmail.com>
Subject: Re: huge count of DNS deny hits
To: "babu dheen" <babudheen at yahoo.co.in>
Date: Monday, 9 January, 2012, 1:39 AM


Hello,

Did you check, what kind of queries your client performed ?
Sometimes I saw on my DNS servers hits like yours. When I've checked my logs I saw that most queries ask for the same internet address which 
quided me that client might have virus.

Best regards,

Shamrock 


On Sun, Jan 8, 2012 at 2:03 PM, babu dheen <babudheen at yahoo.co.in> wrote:






Dear All,
 
Today we have noticed one peculier issue in our firewall logs. We have internal DNS server running in bind which is protected by firewall. All clients are allowed to perform DNS lookup using our BIND internal DNS server( so only UDP 53 is allowed from LAN to DNS server in firewall)
 
But we noticed many DNS deny hits from BIND internal server to one client server (hit count around 6,00,00,000) in a day and the same time we saw around 5,00,000 allowed DNS lookup hits from that particular client to Internal DNS server.
 
Can you guide me in what situation this kind of problem can occur?
 
 
Regards
Babu
 
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120109/8f79981a/attachment.html>