DNS Exploit Attempts?? - DNS

This is a discussion on DNS Exploit Attempts?? - DNS ; Good morning. I upgraded our last resolver this morning to the new P1 code and turned on "rndc querylog". I am seeing a steady stream of these messages with the same IP at a rate of about 100/min. Jul 30 ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: DNS Exploit Attempts??

  1. DNS Exploit Attempts??

    Good morning.

    I upgraded our last resolver this morning to the new P1 code and
    turned on "rndc querylog". I am seeing a steady stream of these
    messages with the same IP at a rate of about 100/min.

    Jul 30 11:50:39 ns2 named[2780]: [ID 873579 daemon.info] security:
    info: client 194.85.88.199#22941: query (cache) './ANY/IN' denied

    Is this an example of the cache exploit attempt?

    I've already spoken with our INET team about blocking the IP at the
    firewall a couple of days to see if the automated mechanism stops
    because of denied access, or if it continues regardless.

    Thanks,

    Emery Rudolph
    Sr. Systems Analyst
    Office of Information Technology
    University of Maryland University College
    Email: Erudolph@umuc.edu




  2. Re: DNS Exploit Attempts??

    Terpasaur wrote:

    > Jul 30 11:50:39 ns2 named[2780]: [ID 873579 daemon.info] security:
    > info: client 194.85.88.199#22941: query (cache) './ANY/IN' denied


    > Is this an example of the cache exploit attempt?



    Heh, after I read this I enabled the querylog and sure enough, I had an ip
    address near that one doing the same thing, on both of our servers.

    I did spot another entry in the logs that isn't a concern but odd to me...

    client 149.20.56.10#10053: query:
    not-an-attack.dan-kaminsky.browse-deluvian.doxpara.com IN ANY +


    The ip address goes back to isc.org so just wondering if there is a spider
    of sorts running to determine whose name server is running what version or
    something.

    -bruce
    bje@ripco.com


  3. Re: DNS Exploit Attempts??

    Bruce Esquibel writes:

    > client 149.20.56.10#10053: query:
    > not-an-attack.dan-kaminsky.browse-deluvian.doxpara.com IN ANY +
    >
    > The ip address goes back to isc.org so just wondering if there is a spider
    > of sorts running to determine whose name server is running what version or
    > something.


    yes, isc is supporting several dns spiders who are measuring the population
    of patched vs. unpatched, and measuring for poison injections.
    --
    Paul Vixie


+ Reply to Thread