Preventing a particular type of nameserver abuse

Sten Carlsen stenc at s-carlsen.dk
Wed Apr 14 18:21:56 UTC 2021 

Thanks

Sten

> On 14 Apr 2021, at 19.47, Carl Byington via bind-users <bind-users at lists.isc.org> wrote:
> 
> Signed PGP part
> On Wed, 2021-04-14 at 12:58 -0400, Paul Kosinski via bind-users wrote:
> > Interesting, although we host different domains, in and from different
> > geographic areas, we got the same queries as yours on the same day,
> > with some at about the same time (we're EDT).
> > 13-Apr-2021 02:19:58.468 security: info: client 76.20.145.58#3074
> > (sl): query (cache) 'sl/ANY/IN' denied
> > 13-Apr-2021 02:19:58.638 security: info: client 76.20.145.58#3074
> > (sl): query (cache) 'sl/ANY/IN' denied
> 
> These times are PDT (-0700)
> 
> Apr 12 23:18:13 ns named[5091]: client @0x7fda540105b8 76.20.145.58#3074
> (sl): view normal: query (cache) 'sl/ANY/IN' denied
> Apr 12 23:18:13 ns named[5091]: client @0x7fda540105b8 76.20.145.58#3074
> (sl): view normal: query (cache) 'sl/ANY/IN' denied
> ....
> Apr 12 23:19:15 ns named[5091]: client @0x7fda540105b8 76.20.145.58#3074
> (sl): view normal: query (cache) 'sl/ANY/IN' denied
> 
> So either 76.20.145.58, or someone forging that source ip, made queries
> to servers in (+0000), (-0400), and (-0700) at the same time. Malware
> running on 76.20.145.58 is one explanation. Would the REFUSED replies
> carry enough information from the original query to be used as a covert
> communication channel into something listening on 76.20.145.58?
> 
> vpn over dns query-refused replies? That seems a bit far-fetched.

I wonder if it may be an attempt to keep track of the Internet speed across the world?
If you send off these queries at the same time to different locations what would the round trip time tell you?
It would probably be a fair assessment of the speed of the net - might be a replacement for pings.

> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210414/7965f4b3/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210414/7965f4b3/attachment-0001.bin>

More information about the bind-users mailing list