Re: DNS server keeps communicating with Darkprofits.net and darkprofits.com

[Ben Nelson <venom () venom600 org>]

Marlon.Richards () Windalco com wrote:
> Hi guys. I know this is the SNORT mailing list but i am just wondering
> if i could get some help here. 
You're right, you'd be better off asking this on a security mailing 
list, or better yet...on the BIND mailing list.

> I found that my DNS server is being asked to
> make numerous resolutions of darkprofits.com and darkrpofits.net. None of
> my internal clients are making these requests. My Sniffer shows me that the
> requests are being made from outside my network and that my DNS server is
> making a request for this domain to external hosts. Does anyone know where
> this may be coming from and how to stop it?
You probably shouldn't be allowing recursive DNS queries from hosts that 
you don't control.....just good security best practice.  Allow your 
internal clients the ability to do recursive queries and keep external 
hosts' queries limited to domains that you are authoritative for.  You 
can do this in BIND with the 'allow-recursion' option.  Example:

If your network is 192.168.123.0/24

In your named.conf file, put something like:
acl recursive-clients{ 192.168.123.0/24; };
options {
    allow-recursion{ recursive-clients; };
};

That oughta' keep external folks from abusing your nameserver.

--Ben


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users