Security Incidents mailing list archives
odd DNS scan
From: Joe Moll <jmoll-lists () MY-MBOX COM>
Date: Tue, 20 Mar 2001 10:16:13 -0800
Has anyone seen a similar scan against their name servers? Below is a log extraction and an example tcpdump/trace of some strange DNS queries that have been happening since about 13 March. I can reproduce with a `dig @nameserver in a .` I have recursive lookups blocked for off network queries and BIND is blocking the requests for the lookup of '.' (as you can see below) and for queries for version.bind, authors... Any idea what this particular probe is trying to find? Incidentally, after a few of these occurred, in conjunction with the other query I started getting PTR probes to this nameserver for it's IP address, and it is not authoritative for the in-addr.arpa. network where it lives. Best Regards, Joe Moll -- example log entries Mar 13 17:46:49 yyy named[120] denied query from [aaa.8.29.91].48071 for "." Mar 13 17:50:53 yyy named[120] denied query from [aaa.8.29.91].48154 for "." Mar 13 17:51:42 yyy named[120] denied query from [bbb.33.87.8].51783 for "." Mar 13 17:54:11 yyy named[120] denied query from [ccc.251.19.88].13316 for "." Mar 13 17:56:49 yyy named[120] denied query from [aaa.8.29.91].48273 for "." Mar 13 18:07:55 yyy named[120] denied query from [ccc.251.19.88].13802 for "." Mar 13 18:31:08 yyy named[120] denied query from [ddd.67.29.10].3568 for "." Mar 13 18:56:19 yyy named[120] denied query from [bbb.33.87.10].9740 for "." Mar 13 20:10:38 yyy named[120] denied query from [ddd.67.29.10].9093 for "." Mar 13 20:12:48 yyy named[120] denied query from [bbb.33.87.10].13301 for "." -- example dump of a specific query. >17:46:49.146422 aaa.8.29.91.48071 > yyy.domain.com.domain 0 A? . (17) >0x0000 4500 002d 0001 0000 3411 f7d8 xx08 1d5b E..-....4......[ >0x0010 xxxx xxxx bbc7 0035 0019 b2d7 0000 0000 .......5........ >0x0020 0001 0000 0000 0000 0000 0100 0192 .............. >17:46:49.146969 aaa.8.29.91.48071 > yyy.domain.com.domain: 1 A? . (17) >0x0000 4500 002d 0002 0000 3411 f7d7 xx08 1d5b E..-....4......[ >0x0010 xxxx xxxx bbc7 0035 0019 b2d6 0001 0000 ?z.....5........ >0x0020 0001 0000 0000 0000 0000 0100 0151 .............Q >17:46:49.147507 aaa.8.29.91.48071 > yyy.domain.com.domain: 2 A? . (17) >0x0000 4500 002d 0003 0000 3411 f7d6 xx08 1d5b E..-....4......[ >0x0010 xxxx xxxx bbc7 0035 0019 b2d5 0002 0000 ?z.....5........ >0x0020 0001 0000 0000 0000 0000 0100 016c .............l >17:46:49.148013 yyy.domain.com.domain > aaa.8.29.91.48071: 0 Refused >0/0/0 (17) >0x0000 4500 002d 4045 0000 4011 ab94 xxxx xxxx E..-@E..@....... >0x0010 xx08 1d5b 0035 bbc7 0019 3252 0000 8085 ...[.5....2R.... >0x0020 0001 0000 0000 0000 0000 0100 01 ............. >17:46:49.148583 yyy.domain.com.domain > aaa.8.29.91.48071: 1 Refused >0/0/0 (17) >0x0000 4500 002d 4046 0000 4011 ab93 xxxx xxxx E..-@F..@....... >0x0010 xx08 1d5b 0035 bbc7 0019 3251 0001 8085 ...[.5....2Q.... >0x0020 0001 0000 0000 0000 0000 0100 01 ............. >17:46:49.149165 yyy.domain.com.domain > aaa.8.29.91.48071: 2 Refused >0/0/0 (17) >0x0000 4500 002d 4047 0000 4011 ab92 xxxx xxxx E..-@G..@....... >0x0010 xx08 1d5b 0035 bbc7 0019 3250 0002 8085 ...[.5....2P.... >0x0020 0001 0000 0000 0000 0000 0100 01 ............. -- later evolved to include query for PTR of nameserver's IP address. Mar 17 04:51:27 yyy named[120]: denied query from [aaa.8.29.52].38644 for "." Mar 17 04:52:17 yyy named[120]: denied query from [aaa.8.29.52].38658 for "my.reverse.ip.address.in-addr.arpa"
Current thread:
- odd DNS scan Joe Moll (Mar 20)