DNS-Format-Eroor

Mohammed Ejaz mejaz at cyberia.net.sa
Mon Dec 18 13:54:53 UTC 2017 

 

Thank you for the detail explanation really appreciated . 

 

We have asked by our National cyber  Security Center  to investigate  on this, as they have detected massive malicious requests from our DNS servers which are  ( 212.119.64.2 and 212.119.64.3). 

 

Malicious domain is mumbai-m.site which linked to dns-bot campaign, this campaign uses DNS  tunneling for exchanging messages transferring files, executing commands through dns protocol 

 

Malicious IPS are 

1.2.3.4 

11.24.237.110

46.105.221.247

 

but when i checked my name server logs request comes from  single IP 212.76.76.18 asked for this domain and  my server gets refused their  request since this IP doesn't belongs to us as I have ACLs in placed in named.conf. 

 

Now I am bit confused since the query gets  rejected, how come our national cyber security center can claim that there were malicious massive traffic from our DNS server to the internet world. 

 

Any explanations would be highly appreciated.  Thanks in advance. 

 

Ejaz 

 

 

-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Mark Elkins
Sent: Monday, December 18, 2017 1:58 PM
To: bind-users at lists.isc.org
Subject: Re: DNS-Format-Eroor

 

$ dig mumbai-m.site ns

 

; <<>> DiG 9.11.1-P3 <<>> mumbai-m.site ns ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

 

;; QUESTION SECTION:

;mumbai-m.site.            IN    NS

 

;; ANSWER SECTION:

MUMBAI-M.site.        3380    IN    NS    win-1ikkrphg9jj.

 

I seemed to have cached only one nameserver - which does not make operational sense - neither does the name I've cached.

 

$ dig mumbai-m.site aaaa

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

 

;; QUESTION SECTION:

;mumbai-m.site.            IN    AAAA

 

;; AUTHORITY SECTION:

MUMBAI-M.SITE.        3473    IN    SOA    win-1ikkrphg9jj. hostmaster.

4 900 600 86400 3600

 

The Zone looks like its not set up properly.. the admin has added dots where they should not have...

 

The "win" and Serial No. of "4" suggests to me that this is a windows machine, and as both nameservers are on the same IP, the adminstrator is in need of some DNS training..

 

As for your errors, I'd guess you may run IPv6 but this person doesn't appear to as asking for the Quad-A record returns the SOA (you got to the right place but there is no answer to your question)

 

In summary - the administrator of MUMBAI-M.SITE has a broken zone configuration.

 

Doing a "whois MUMBAI-M.SITE", seems they are hiding behind "whoisguard.com" to remain anonymous - which suggests they have something to hide. I don't get the vibe that this domain is owned by a child or someone who needs protection from the evilness of the Internet...

 

 

On 18/12/2017 11:26, Reindl Harald wrote:

> 

> 

> Am 18.12.2017 um 10:16 schrieb Mohammed Ejaz:

>> Hello,

>> 

>> I have several entries as below  in my  name server logs. Would any 

>> one please assist me to knowing the exact reason of this,

>> 

>> Also this IP 46.105.221.247 not in my trusted list.

> 

> no, but it's the auth-nameserver of that domain operatd by another 

> fool which thinks the requirement for 2 nameservers is just for fun

> 

> i guess you have a inbound mailserver using your nameserver which logs 

> the warning...

> 

> [harry at srv-rhsoft:/mnt/data/downloads]$ nslookup MUMBAI-M.SITE

> Server:         127.0.0.1

> Address:        127.0.0.1#53

> 

> Non-authoritative answer:

> Name:   MUMBAI-M.SITE

> Address: 46.105.221.247

> 

> [harry at srv-rhsoft:/mnt/data/downloads]$ nslookup NS1.MUMBAI-M.SITE

> Server:         127.0.0.1

> Address:        127.0.0.1#53

> 

> Non-authoritative answer:

> Name:   NS1.MUMBAI-M.site

> Address: 46.105.221.247

> 

> [harry at srv-rhsoft:/mnt/data/downloads]$ nslookup NS2.MUMBAI-M.SITE

> Server:         127.0.0.1

> Address:        127.0.0.1#53

> 

> Non-authoritative answer:

> Name:   NS2.MUMBAI-M.SITE

> Address: 46.105.221.247

> 

>> Dec 17 05:35:39 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no 

>> answer

>> 

>> Dec 17 05:35:40 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv

>>                                           ing ns2.mumbai-m.site/AAAA:

>> reply has no answer

>> 

>> Dec 17 09:43:46 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no 

>> answer

>> 

>> Dec 17 09:43:46 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no 

>> answer

>> 

>> Dec 17 09:47:41 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no 

>> answer

>> 

>> Dec 17 09:47:41 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no 

>> answer

>> 

>> Dec 17 09:48:41 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no 

>> answer

>> 

>> Dec 17 09:48:41 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no 

>> answer

>> 

>> Dec 17 09:52:39 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no 

>> answer

>> 

>> Dec 17 09:52:39 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no 

>> answer

>> 

>> Dec 17 09:55:52 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no 

>> answer

>> 

>> Dec 17 09:55:52 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no 

>> answer

>> 

>> Dec 17 09:58:41 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no 

>> answer

>> 

>> Dec 17 09:58:41 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no 

>> answer

>> 

>> Thanks,

>> 

>> Mohammed Ejaz

>> 

>> Asst. Operation Director of Systems.

>> 

>> Cyberia SAUDI ARABIA

>> 

>> P.O.Box: 301079, Riyadh 11372

>> 

>> Phone:  (+966) 11 464 7114 Ext. 140

>> 

>> Mobile:  (+966) 562311787

>> 

>> Fax:      (+966) 11 465 4735

>> 

>> Website:  <http://www.cyberia.net.sa> http://www.cyberia.net.sa

> _______________________________________________

> Please visit  <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users to 

> unsubscribe from this list

> 

> bind-users mailing list

>  <mailto:bind-users at lists.isc.org> bind-users at lists.isc.org

>  <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users

 

--

Mark James ELKINS  -  Posix Systems - (South) Africa

 <mailto:mje at posix.co.za> mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496

For fast, reliable, low cost Internet in ZA:  <https://ftth.posix.co.za> https://ftth.posix.co.za

 

_______________________________________________

Please visit  <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

 

bind-users mailing list

 <mailto:bind-users at lists.isc.org> bind-users at lists.isc.org

 <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171218/d89db8cf/attachment-0001.html>

More information about the bind-users mailing list