Re: Unusual IN ANY DNS Traffic

["Douglas E. Warner" <dwarner () ctinetworks com>]

On Wednesday 11 May 2005 03:57, Simon Waters wrote:
> Indeed moderns versions of BIND default to high ports for DNS queries as
> well unless configured otherwise. I think old versions of BIND and the odd
> firewall product were the main thing doing source port 53 queries.
>
> I was going to suggest email servers as a possible cause -- I think
> probably you'll have to speak to a customer if it still persists. Make sure
> they haven't been owned. Might just have been a spam run or mailshot with
> "msn.com" as the reply, and you discovering how many email servers are out
> there or similar.

I suspect you're correct; these are probably some DSL customers who have 
"0wn3d" by either a virus or malware and have just been "turned on" to spam 
domains at "msn.com".  Unfortunately we don't do protocol graphs on our major 
routers or else I would have been able to see a spike of port 25 traffic if 
it had existed - we just graph our DNS server query which is why I noticed 
the jump.

> I assume your not using something daft like MS DNS server, but a recent
> BIND or DJB cache.

Also correct; we're running BIND 9.2.2 and I parse the query logs to see what 
kind of traffic we're getting via the different query types.

-Doug

-- 
Douglas E. Warner    <dwarner () ctinetworks com>     Network Engineer
CTI Networks, Inc.   http://www.ctinetworks.com    +1 717 975 9000

Attachment: _bin
Description: