DNS-Format-Eroor
Mohammed Ejaz
mejaz at cyberia.net.sa
Mon Dec 18 13:54:53 UTC 2017
Thank you for the detail explanation really appreciated .
We have asked by our National cyber Security Center to investigate on this, as they have detected massive malicious requests from our DNS servers which are ( 212.119.64.2 and 212.119.64.3).
Malicious domain is mumbai-m.site which linked to dns-bot campaign, this campaign uses DNS tunneling for exchanging messages transferring files, executing commands through dns protocol
Malicious IPS are
1.2.3.4
11.24.237.110
46.105.221.247
but when i checked my name server logs request comes from single IP 212.76.76.18 asked for this domain and my server gets refused their request since this IP doesn't belongs to us as I have ACLs in placed in named.conf.
Now I am bit confused since the query gets rejected, how come our national cyber security center can claim that there were malicious massive traffic from our DNS server to the internet world.
Any explanations would be highly appreciated. Thanks in advance.
Ejaz
-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Mark Elkins
Sent: Monday, December 18, 2017 1:58 PM
To: bind-users at lists.isc.org
Subject: Re: DNS-Format-Eroor
$ dig mumbai-m.site ns
; <<>> DiG 9.11.1-P3 <<>> mumbai-m.site ns ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;mumbai-m.site. IN NS
;; ANSWER SECTION:
MUMBAI-M.site. 3380 IN NS win-1ikkrphg9jj.
I seemed to have cached only one nameserver - which does not make operational sense - neither does the name I've cached.
$ dig mumbai-m.site aaaa
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;mumbai-m.site. IN AAAA
;; AUTHORITY SECTION:
MUMBAI-M.SITE. 3473 IN SOA win-1ikkrphg9jj. hostmaster.
4 900 600 86400 3600
The Zone looks like its not set up properly.. the admin has added dots where they should not have...
The "win" and Serial No. of "4" suggests to me that this is a windows machine, and as both nameservers are on the same IP, the adminstrator is in need of some DNS training..
As for your errors, I'd guess you may run IPv6 but this person doesn't appear to as asking for the Quad-A record returns the SOA (you got to the right place but there is no answer to your question)
In summary - the administrator of MUMBAI-M.SITE has a broken zone configuration.
Doing a "whois MUMBAI-M.SITE", seems they are hiding behind "whoisguard.com" to remain anonymous - which suggests they have something to hide. I don't get the vibe that this domain is owned by a child or someone who needs protection from the evilness of the Internet...
On 18/12/2017 11:26, Reindl Harald wrote:
>
>
> Am 18.12.2017 um 10:16 schrieb Mohammed Ejaz:
>> Hello,
>>
>> I have several entries as below in my name server logs. Would any
>> one please assist me to knowing the exact reason of this,
>>
>> Also this IP 46.105.221.247 not in my trusted list.
>
> no, but it's the auth-nameserver of that domain operatd by another
> fool which thinks the requirement for 2 nameservers is just for fun
>
> i guess you have a inbound mailserver using your nameserver which logs
> the warning...
>
> [harry at srv-rhsoft:/mnt/data/downloads]$ nslookup MUMBAI-M.SITE
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> Non-authoritative answer:
> Name: MUMBAI-M.SITE
> Address: 46.105.221.247
>
> [harry at srv-rhsoft:/mnt/data/downloads]$ nslookup NS1.MUMBAI-M.SITE
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> Non-authoritative answer:
> Name: NS1.MUMBAI-M.site
> Address: 46.105.221.247
>
> [harry at srv-rhsoft:/mnt/data/downloads]$ nslookup NS2.MUMBAI-M.SITE
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> Non-authoritative answer:
> Name: NS2.MUMBAI-M.SITE
> Address: 46.105.221.247
>
>> Dec 17 05:35:39 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no
>> answer
>>
>> Dec 17 05:35:40 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns2.mumbai-m.site/AAAA:
>> reply has no answer
>>
>> Dec 17 09:43:46 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no
>> answer
>>
>> Dec 17 09:43:46 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no
>> answer
>>
>> Dec 17 09:47:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no
>> answer
>>
>> Dec 17 09:47:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no
>> answer
>>
>> Dec 17 09:48:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no
>> answer
>>
>> Dec 17 09:48:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no
>> answer
>>
>> Dec 17 09:52:39 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no
>> answer
>>
>> Dec 17 09:52:39 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no
>> answer
>>
>> Dec 17 09:55:52 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no
>> answer
>>
>> Dec 17 09:55:52 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no
>> answer
>>
>> Dec 17 09:58:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no
>> answer
>>
>> Dec 17 09:58:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no
>> answer
>>
>> Thanks,
>>
>> Mohammed Ejaz
>>
>> Asst. Operation Director of Systems.
>>
>> Cyberia SAUDI ARABIA
>>
>> P.O.Box: 301079, Riyadh 11372
>>
>> Phone: (+966) 11 464 7114 Ext. 140
>>
>> Mobile: (+966) 562311787
>>
>> Fax: (+966) 11 465 4735
>>
>> Website: <http://www.cyberia.net.sa> http://www.cyberia.net.sa
> _______________________________________________
> Please visit <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> <mailto:bind-users at lists.isc.org> bind-users at lists.isc.org
> <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark James ELKINS - Posix Systems - (South) Africa
<mailto:mje at posix.co.za> mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: <https://ftth.posix.co.za> https://ftth.posix.co.za
_______________________________________________
Please visit <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
<mailto:bind-users at lists.isc.org> bind-users at lists.isc.org
<https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171218/d89db8cf/attachment-0001.html>
More information about the bind-users
mailing list