huge count of DNS deny hits
babu dheen
babudheen at yahoo.co.in
Wed Jan 11 13:25:10 UTC 2012
Thanks Fajr.
I will handle it further.
Regards
Babu
--- On Wed, 11/1/12, Fajar A. Nugraha <work at fajar.net> wrote:
From: Fajar A. Nugraha <work at fajar.net>
Subject: Re: huge count of DNS deny hits
To: "babu dheen" <babudheen at yahoo.co.in>
Cc: bind-users at lists.isc.org
Date: Wednesday, 11 January, 2012, 1:59 PM
On Wed, Jan 11, 2012 at 1:27 PM, babu dheen <babudheen at yahoo.co.in> wrote:
>
> Dear Fajar,
>
> Below logs taken from Internal DNS server running in Microsoft DNS.
Then why did you ask this list instead of contacting MS support?
> I checked with client AV status, everything is fine( system is up to date with DAT from Mcafee AV and no threat found in the complete scan output).
>
> But really no idea.. why it happens.. Client is pointed to use different DNS server but DNS flood query is being sent to another DNS server
AV doesn't catch all threats.
Anyway, from bind's perspective, a dns query asking for bind version
is a valid TXT query. But the query can be used by malware,
vulnerability scanners, or hackers looking for vulnerable bind
versions.
In a way, it's similar to ICMP echo (i.e. ping) packets. It's a valid
packet, but a lot of virus/malware is using it to determine which
neighbour hosts to attack. How do you handle ICMP flood cases? The
same mechanism should be applicable in this case.
--
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120111/98c848a5/attachment.html>
More information about the bind-users
mailing list