Security Incidents mailing list archives
Attempted DNS queries.
From: Yotam Rubin <yotam () MAKIF OMER K12 IL>
Date: Sun, 25 Mar 2001 14:17:14 +0200
Hello, My bind is configured to only reply to queries which refer to the zones which are under my control. I've been receiving a curiously large number of queries to the "." domain from hosts which I have never seen before. A more peculiar thing is that many of the offending hosts run ssh and https alone. Following are the log entries for some of the denied queries: Mar 19 05:34:18 linux named[24032]: denied query from [216.33.87.10].54947 for "Mar 19 05:55:42 linux named[24032]: denied query from [216.33.87.10].55501 for "Mar 19 06:01:25 linux named[24032]: denied query from [216.33.87.10].55639 for "Mar 19 06:03:06 linux named[24032]: denied query from [216.33.87.10].55692 for "Mar 19 06:06:11 linux named[24032]: denied query from [216.33.87.9].56046 for ".Mar 24 19:09:39 linux named[24032]: denied query from [63.209.29.136].20196 for ......... This goes on. I've been able to to identify at least nine unique hosts which attempted these queries: 167.8.29.52, 206.251.19.88, 209.67.29.8, 216.33.87.8, 216.33.87.10, 63.209.29.136, 208.185.109.155, 167.8.29.91 and 64.14.77.2. Results of the portscan against these hosts can be found at: http://192.117.130.34/Fendor/bind-scan-results Any ideas as to the nature of these queries and the strange pattern which these hosts exhibit? Regards, Yotam Rubin
Current thread:
- Attempted DNS queries. Yotam Rubin (Mar 25)
- Re: Attempted DNS queries. Mark Lastdrager (Mar 25)
- <Possible follow-ups>
- Re: Attempted DNS queries. Alfred Huger (Mar 25)