bind-users Digest, Vol 2448, Issue 2

Amit Kumar Gupta jtosys at bol.net.in
Thu Jul 28 06:46:49 UTC 2016 

Dear Sir,


For checking the source port randomness  of your DNS please refer to below
website tool.
https://www.dns-oarc.net/oarc/services/dnsentropy


Regards
Manager(Internet-Systems)
MTNL Delhi
 



-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of
bind-users-request at lists.isc.org
Sent: Wednesday, July 27, 2016 7:28 PM
To: bind-users at lists.isc.org
Subject: bind-users Digest, Vol 2448, Issue 2

Send bind-users mailing list submissions to
	bind-users at lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
	bind-users-request at lists.isc.org

You can reach the person managing the list at
	bind-users-owner at lists.isc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."


Today's Topics:

   1. RE: outgoing-traffic (Abdul Khader)
   2. RE: outgoing-traffic (Abdul Khader)
   3. Re: outgoing-traffic (S Carr)
   4. RE: outgoing-traffic (Ejaz)
   5. RE: outgoing-traffic (Tony Finch)
   6. RE: outgoing-traffic (Ejaz)
   7. Re: outgoing-traffic (S Carr)

----------------------------------------------------------------------

Message: 1
Date: Wed, 27 Jul 2016 16:04:20 +0400
From: Abdul Khader <akhader at ies.etisalat.ae>
To: Ejaz <mejaz at cyberia.net.sa>, 'S Carr' <sjcarr at gmail.com>
Cc: bind-users at lists.isc.org
Subject: RE: outgoing-traffic
Message-ID: <1rbvvxed9l9m1vf2w9ty4v34.1469621060846 at email.android.com>
Content-Type: text/plain; charset=utf-8

You can use tcpdump on your DNS server to take the trace.

Command would be like below.

tcpdump -i any port 53 -w trace.pcap

You can share trace.pcap with us.

Regards
Abdul Khader

Ejaz <mejaz at cyberia.net.sa> wrote:

>
>Thanks you. 
>
>The traffic will go to router which is handled by the Network dept. The
fear  that may router can crash   if we  start enabling the packet capture
since it is layer 7. 
>
>Is advisable,  if we  deny outbound UDP port 0  from the DNS servers, after
enabling firewall.
>
>
>Ejaz 
>
>-----Original Message-----
>From: S Carr [mailto:sjcarr at gmail.com] 
>Sent: Wednesday, July 27, 2016 10:51 AM
>To: Ejaz <mejaz at cyberia.net.sa>
>Cc: bind-users <bind-users at lists.isc.org>
>Subject: Re: outgoing-traffic
>
>On 27 July 2016 at 08:41, Ejaz <mejaz at cyberia.net.sa> wrote:
>> Thanks for all.
>>
>> But the strange thing is that if the request comes on 53 port then it 
>> should go only from 53 is it?? Why goes out from 0, any clue would be 
>> highly appreciate.
>>
>> Regards
>> Ejaz
>
>Where's the packet capture to review?
>
>_______________________________________________
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
>
>bind-users mailing list
>bind-users at lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users

------------------------------

Message: 2
Date: Wed, 27 Jul 2016 16:51:02 +0400
From: Abdul Khader <akhader at ies.etisalat.ae>
To: Ejaz <mejaz at cyberia.net.sa>, 'S Carr' <sjcarr at gmail.com>
Cc: bind-users at lists.isc.org
Subject: RE: outgoing-traffic
Message-ID: <23iajc73wkjxjadvv3sa0dsa.1469623862795 at email.android.com>
Content-Type: text/plain; charset=utf-8

Did not find any attachment.

Ejaz <mejaz at cyberia.net.sa> wrote:

>Thank you so much Abdul for you instant support. 
>
>As requested, Find the attached.  
>
>
>Ejaz 
>-----Original Message-----
>From: akhader at ies.etisalat.ae [mailto:akhader at ies.etisalat.ae] 
>Sent: Wednesday, July 27, 2016 3:04 PM
>To: Ejaz <mejaz at cyberia.net.sa>; 'S Carr' <sjcarr at gmail.com>
>Cc: bind-users at lists.isc.org
>Subject: RE: outgoing-traffic
>
>You can use tcpdump on your DNS server to take the trace.
>
>Command would be like below.
>
>tcpdump -i any port 53 -w trace.pcap
>
>You can share trace.pcap with us.
>
>Regards
>Abdul Khader
>
>Ejaz <mejaz at cyberia.net.sa> wrote:
>
>>
>>Thanks you. 
>>
>>The traffic will go to router which is handled by the Network dept. The
fear  that may router can crash   if we  start enabling the packet capture
since it is layer 7. 
>>
>>Is advisable,  if we  deny outbound UDP port 0  from the DNS servers,
after enabling firewall.
>>
>>
>>Ejaz
>>
>>-----Original Message-----
>>From: S Carr [mailto:sjcarr at gmail.com]
>>Sent: Wednesday, July 27, 2016 10:51 AM
>>To: Ejaz <mejaz at cyberia.net.sa>
>>Cc: bind-users <bind-users at lists.isc.org>
>>Subject: Re: outgoing-traffic
>>
>>On 27 July 2016 at 08:41, Ejaz <mejaz at cyberia.net.sa> wrote:
>>> Thanks for all.
>>>
>>> But the strange thing is that if the request comes on 53 port then it 
>>> should go only from 53 is it?? Why goes out from 0, any clue would be 
>>> highly appreciate.
>>>
>>> Regards
>>> Ejaz
>>
>>Where's the packet capture to review?
>>

------------------------------

Message: 3
Date: Wed, 27 Jul 2016 14:19:10 +0100
From: S Carr <sjcarr at gmail.com>
To: Ejaz <mejaz at cyberia.net.sa>
Cc: bind-users <bind-users at lists.isc.org>
Subject: Re: outgoing-traffic
Message-ID:
	<CALMep05kznfMwhU+sxLQZw_i1TW3v3tnShnAu1MY38tTOxGFdg at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

On 27 July 2016 at 13:33, Ejaz <mejaz at cyberia.net.sa> wrote:
> Thank you so much Abdul for you instant support.
>
> As requested, Find the attached.

So the 3 IPs (212.118.122.99-101) are continuously sending ANY
requests for cpsc.gov

No responses I can see are going from port 0, they are coming in on 53
and BIND is responding on a random high port

The subnet 212.118.122.0/24 appears to be mapped to your company's DNS
for reverse lookups and .99 shows that it is supposedly the system
mail.electro.com.sa (though the forward lookup does not map to the
same as the reverse).

It also looks like you are providing a recursive DNS service for these
IP addresses, in frame 118047 you respond to the client with an
NXDOMAIN response as the query they asked has a random "\r" on it. Are
you meant to be providing recursive DNS for these clients? The random
"\r" looks to me like something has been scripted (albeit poorly) to
run against your systems.

As this is probably one of your customers have you tried contacting
them to find out why their systems are sending all of these requests?
It could be simple misconfiguration or they could have been affected
by some malware that's generating DNS noise/attacks.

You could look at putting iptables on your Linux box to provide
another layer of filtering and block the requests locally, or ask your
network team to block those IPs, then wait for the customer to shout.


------------------------------

Message: 4
Date: Wed, 27 Jul 2016 16:44:52 +0300
From: "Ejaz" <mejaz at cyberia.net.sa>
To: "'S Carr'" <sjcarr at gmail.com>
Cc: "'bind-users'" <bind-users at lists.isc.org>
Subject: RE: outgoing-traffic
Message-ID: <06f101d1e80d$0f7b9030$2e72b090$@cyberia.net.sa>
Content-Type: text/plain;	charset="utf-8"

Really I appreciate sparing such long time to trace out the problem and
sending such detail email.

 Is there any other security measure from the DNS level to control such
attacks.  Instead of blocking IP which is either from my linux machine or
from my network side.

Such  as, if someone is sending  ANY request , by default it should be
denied when users requests  for it..  


Ejaz 

-----Original Message-----
From: S Carr [mailto:sjcarr at gmail.com] 
Sent: Wednesday, July 27, 2016 4:19 PM
To: Ejaz <mejaz at cyberia.net.sa>
Cc: bind-users <bind-users at lists.isc.org>
Subject: Re: outgoing-traffic

On 27 July 2016 at 13:33, Ejaz <mejaz at cyberia.net.sa> wrote:
> Thank you so much Abdul for you instant support.
>
> As requested, Find the attached.

So the 3 IPs (212.118.122.99-101) are continuously sending ANY requests for
cpsc.gov

No responses I can see are going from port 0, they are coming in on 53 and
BIND is responding on a random high port

The subnet 212.118.122.0/24 appears to be mapped to your company's DNS for
reverse lookups and .99 shows that it is supposedly the system
mail.electro.com.sa (though the forward lookup does not map to the same as
the reverse).

It also looks like you are providing a recursive DNS service for these IP
addresses, in frame 118047 you respond to the client with an NXDOMAIN
response as the query they asked has a random "\r" on it. Are you meant to
be providing recursive DNS for these clients? The random "\r" looks to me
like something has been scripted (albeit poorly) to run against your
systems.

As this is probably one of your customers have you tried contacting them to
find out why their systems are sending all of these requests?
It could be simple misconfiguration or they could have been affected by some
malware that's generating DNS noise/attacks.

You could look at putting iptables on your Linux box to provide another
layer of filtering and block the requests locally, or ask your network team
to block those IPs, then wait for the customer to shout.



------------------------------

Message: 5
Date: Wed, 27 Jul 2016 14:49:09 +0100
From: Tony Finch <dot at dotat.at>
To: Ejaz <mejaz at cyberia.net.sa>
Cc: 'S Carr' <sjcarr at gmail.com>, 'bind-users'
	<bind-users at lists.isc.org>
Subject: RE: outgoing-traffic
Message-ID: <alpine.DEB.2.11.1607271448080.13539 at grey.csi.cam.ac.uk>
Content-Type: TEXT/PLAIN; charset=US-ASCII

Ejaz <mejaz at cyberia.net.sa> wrote:
>
> Such as, if someone is sending ANY request , by default it should be
> denied when users requests for it..

BIND 9.11 will have a minimal-any option.

https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any

https://lists.isc.org/pipermail/bind-users/2016-July/097226.html

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Southeast Thames, Dover, Wight, Portland, Plymouth, North Biscay: Westerly
or
southwesterly 5 or 6. Moderate. Occasional drizzle. Moderate or poor,
occasionally good.


------------------------------

Message: 6
Date: Wed, 27 Jul 2016 16:55:41 +0300
From: "Ejaz" <mejaz at cyberia.net.sa>
To: "'Tony Finch'" <dot at dotat.at>
Cc: "'S Carr'" <sjcarr at gmail.com>,	"'bind-users'"
	<bind-users at lists.isc.org>
Subject: RE: outgoing-traffic
Message-ID: <070d01d1e80e$92b00390$b8100ab0$@cyberia.net.sa>
Content-Type: text/plain; charset="us-ascii"

Hello,

 

You mean I need to downgrade my bind to 9.11, as my current version is "BIND
9.9.2-P1"

 

 

Ejaz 

 

-----Original Message-----
From: Tony Finch [mailto:dot at dotat.at] 
Sent: Wednesday, July 27, 2016 4:49 PM
To: Ejaz <mejaz at cyberia.net.sa>
Cc: 'S Carr' <sjcarr at gmail.com>; 'bind-users' <bind-users at lists.isc.org>
Subject: RE: outgoing-traffic

 

Ejaz < <mailto:mejaz at cyberia.net.sa> mejaz at cyberia.net.sa> wrote:

> 

> Such as, if someone is sending ANY request , by default it should be 

> denied when users requests for it..

 

BIND 9.11 will have a minimal-any option.

 

 <https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any>
https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any

 

 <https://lists.isc.org/pipermail/bind-users/2016-July/097226.html>
https://lists.isc.org/pipermail/bind-users/2016-July/097226.html

 

Tony.

--

f.anthony.n.finch  < <mailto:dot at dotat.at> dot at dotat.at>
<http://dotat.at/> http://dotat.at/  -  I xn--zr8h punycode Southeast
Thames, Dover, Wight, Portland, Plymouth, North Biscay: Westerly or
southwesterly 5 or 6. Moderate. Occasional drizzle. Moderate or poor,
occasionally good.

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.isc.org/pipermail/bind-users/attachments/20160727/9864309f/at
tachment-0001.html>

------------------------------

Message: 7
Date: Wed, 27 Jul 2016 14:57:34 +0100
From: S Carr <sjcarr at gmail.com>
To: Ejaz <mejaz at cyberia.net.sa>
Cc: bind-users <bind-users at lists.isc.org>
Subject: Re: outgoing-traffic
Message-ID:
	<CALMep04fBzZUGz-FsY+UBGt+MOsVzf0gzY_M8iU4fWWF_4t3_Q at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

On 27 July 2016 at 14:44, Ejaz <mejaz at cyberia.net.sa> wrote:
> Such  as, if someone is sending  ANY request , by default it should be
denied when users requests  for it..

Denying the request isn't going to solve anything in this case, they
are still going to repeatedly ask for it and the traffic has already
hit your system before ANY queries would be denied.


------------------------------

Subject: Digest Footer

_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

------------------------------

End of bind-users Digest, Vol 2448, Issue 2
*******************************************

More information about the bind-users mailing list