Atomicorp

Security for Everyone
https://forums.atomicorp.com/

..and so he turned his attention to DNS

https://forums.atomicorp.com/viewtopic.php?t=4134

Page 1 of 1

..and so he turned his attention to DNS

Posted: Tue May 11, 2010 6:25 pm
by faris
So I spent the day playing with DNS and in so doing noticed some interesting things appearing in the logs on one of our DNS servers.


Interesting item 1

Take a look at this:

Code: Select all

May 11 23:05:18 dns2 named[16155]: client 88.81.254.216#35370: query (cache) 'GOnredactedWyHOmES.CO.UK/NS/IN' denied
May 11 23:05:18 dns2 named[16155]: client 88.81.254.216#25424: query (cache) 'GOnredactedWyHOmES.CO.uk/MX/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#53622: query (cache) 'gOnredactedWYhOMeS.Co.uK/NS/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#12085: query (cache) 'gOnredactedwYhomES.co.UK/MX/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#22181: query (cache) 'goNredactedwyhoMeS.cO.uK/MX/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#18947: query (cache) 'GONredactedWYHOmEs.CO.Uk/NS/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#65308: query (cache) 'GOnredactedwYhOMes.Co.UK/NS/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#44400: query (cache) 'GonredactedWyHoMEs.CO.Uk/MX/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#44754: query (cache) 'GONredactedwyHOMEs.Co.uk/NS/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#22521: query (cache) 'goNredactedwyhoMES.co.UK/MX/IN' denied
May 11 23:05:22 dns2 named[16155]: client 88.81.254.216#51069: query (cache) 'gONredactedwYHOmEs.co.uk/MX/IN' denied
May 11 23:05:22 dns2 named[16155]: client 88.81.254.216#27400: query (cache) 'gONredactedWyHOmes.Co.Uk/MX/IN' denied
May 11 23:05:22 dns2 named[16155]: client 88.81.254.216#64282: query (cache) 'GOnredactedwYhomES.co.Uk/MX/IN' denied
May 11 23:05:22 dns2 named[16155]: client 88.81.254.216#47958: query (cache) 'GoNredactedwyhOmes.co.UK/MX/IN' denied
May 11 23:05:22 dns2 named[16155]: client 88.81.254.216#55543: query (cache) 'gOnredactedwyhOMES.Co.Uk/MX/IN' denied
(actual domain name is redacted, just in case)

The domain in question happens not to have any DNS records on our servers, but that's not the issue. Also of only slight interest is that the IP in question is a nameserver in the Ukraine.

What I'm absolutely fascinated about is the strange random distribution of upper and lower case letters. What on earth is that about? What possible gain could there be from doing this to whoever is doing the lookup (and stinks of badness to me)? Domain names are case-insensitive, are they not?


Interesting item 2

Code: Select all

May 11 23:13:18 dns2 named[16155]: client 72.51.107.98#1044: query (cache) 'mx.fakemx.net/A/IN' denied
May 11 23:13:21 dns2 named[16155]: client 187.60.84.211#1039: query (cache) 'tarbaby.junkemailfilter.com/A/IN' denied
I see loads of these in the logs.

Now the above two domains appear in the CNAMEs in the RRs of one or two domains we host. I know they should not be CNAMES ideally but I don't care -- they are useful as they are.

What I'm facinated about here is why our DNS servers are being queried for their A records. The IPs in the examples above smell of dsl connection (one from brazil).

Broken spambot code maybe?

**

Faris.

Re: ..and so he turned his attention to DNS

Posted: Wed May 12, 2010 6:56 am
by faris
Ooh! More interesting things:

Code: Select all

May 12 07:50:56 dns named[26051]: client 85.15.40.198#3340: update 'domain1.com/IN' denied
May 12 11:27:02 dns named[26051]: client 193.0.0.63#59067: zone transfer 'domain2.org/IN' denied
Both domains are hosted on one or other of our servers. The IP addresses in the log entries are nothing to do with us (first one in Iran, the second errr...does not seem to be assigned or something?). So in one case someone is trying to update the domain and in another they are trying to get at all the details with a zone transfer.

Fascinating!

Faris.

Re: ..and so he turned his attention to DNS

Posted: Thu May 13, 2010 11:21 am
by diego
Same here:

Code: Select all

May 13 08:52:03 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'sportdevelopment.org.uk/A/IN' denied
May 13 08:52:11 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'mail1.dns.internetgeeks.co.uk/A/IN' denied
May 13 08:52:12 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'nocb-b1.uar.navy.mil/MX/IN' denied
May 13 08:53:29 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'mailweb.co.za/A/IN' denied
May 13 08:53:33 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'schobh.hawaii.army.mil/MX/IN' denied
May 13 08:54:09 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'ellie.newsquestdigital.co.uk/A/IN' denied
May 13 08:54:25 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'awm.co.za/MX/IN' denied
May 13 08:54:25 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'ashbourneparkcottages.co.uk/MX/IN' denied
May 13 08:54:28 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'archibald6.freeserve.co.uk/MX/IN' denied
May 13 08:54:29 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'ns7.nic.uk/A/IN' denied
May 13 08:54:30 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'headlandhotel.co.uk/MX/IN' denied
May 13 08:54:32 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'armstrong6382.freeserve.co.uk/MX/IN' denied
May 13 08:54:32 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'familyburns.f9.co.uk/MX/IN' denied
May 13 08:54:33 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'arena-pursuits.co.uk/MX/IN' denied
May 13 08:54:33 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'dover.af.mil/MX/IN' denied
May 13 08:56:05 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'mail.1dial.com/A/IN' denied
May 13 08:56:22 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'mfwj086.mfw.is.co.za/MX/IN' denied
May 13 08:56:34 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'mail.supplyanddemand.com.au/A/IN' denied
May 13 08:57:35 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'seoul.hub-m.com/A/IN' denied
May 13 08:57:40 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'transettlements.com/A/IN' denied
May 13 08:57:43 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'hkgms2.hk.starcont.com/MX/IN' denied
May 13 08:57:44 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'gw01-mail.arwobau.de/MX/IN' denied
What are they trying to do?

Re: ..and so he turned his attention to DNS

Posted: Thu May 13, 2010 11:57 am
by faris
Well, in your case I think it is a different thing. It looks to me like they are just trying to use your DNS server to resolve stuff in general for some reason?

At any rate it is all very strange. I don't see the advantage to the bad guys.
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited