huge count of DNS deny hits

babu dheen babudheen at yahoo.co.in
Wed Jan 11 06:27:39 UTC 2012 

Dear Fajar,
 
 Below logs taken from Internal DNS server running in Microsoft DNS. I checked with client AV status, everything is fine( system is up to date with DAT from Mcafee AV and no threat found in the complete scan output).
 
But really no idea.. why it happens..  Client is pointed to use different DNS server but DNS flood query is being sent to another DNS server
 
Regards
Babu

--- On Wed, 11/1/12, Fajar A. Nugraha <work at fajar.net> wrote:


From: Fajar A. Nugraha <work at fajar.net>
Subject: Re: huge count of DNS deny hits
To: "babu dheen" <babudheen at yahoo.co.in>
Cc: bind-users at lists.isc.org
Date: Wednesday, 11 January, 2012, 10:55 AM


On Wed, Jan 11, 2012 at 12:11 PM, babu dheen <babudheen at yahoo.co.in> wrote:
>
> Hi,
>
> I enabled the logs in DNS server and i found  below lines from this client continiously..
>
> 1/10/2012 9:14:30 AM 0FDC PACKET  0000000005B489B0 UDP Snd <Client IP>    1f23   Q [0005 A D   NOERROR] TXT    (7)version(4)bind(0)
> 1/10/2012 9:14:30 AM 0FDC PACKET  0000000007342360 UDP Rcv <Client IP>   c63c   Q [0005 A D   NOERROR] TXT    (7)version(4)bind(0)
> 1/10/2012 9:14:30 AM 0FDC PACKET  0000000007342360 UDP Snd <Client IP>     c63c   Q [0005 A D   NOERROR] TXT    (7)version(4)bind(0)
> 1/10/2012 9:14:30 AM 0FDC PACKET  0000000004D728F0 UDP Rcv <Client IP>   a96a   Q [0005 A D   NOERROR] TXT    (7)version(4)bind(0)
>

What log is this? AFAIK BIND log does not look like this. Is this firewall log?

> Is it something to do with Malticast DNS.

... and how did you determine that? wild guess?

> Can you give me more details about Multicast DNS

Try google, although I don't think that's your problem.

It might simply be the case that the client is infected with
virus/malware which targets vulnerability in certain versions of bind,
so it'd make sense that it first sends out a DNS query that asks for
bind version number (e.g.
http://www.brandonhutchinson.com/Determining_hiding_BIND_version_number.html)

Some things you might be able to do:
- setup a firewall rule that can ratelimit udp packets from any client
(e.g. iptables can do this)
- make sure your bind versions is up-to-date (well, it's true for any
other software)
- configure named.conf not to show it's version (use Google or bind
manual to find out how)

With those three steps in place, it shouldn't matter what queries the
client does, as the system will either ignore it, reply with useless
information, or automatically block it. However, if it still cause
problems (e.g. lots of UDP traffic eat up your bandwitdh), then simply
block the client manually.

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120111/6d41221f/attachment.html>

More information about the bind-users mailing list