Snort mailing list archives
Re: DNS server keeps communicating with Darkprofits.net and darkprofits.com
From: Ben Nelson <venom () venom600 org>
Date: Mon, 02 Feb 2004 17:43:49 -0700
Marlon.Richards () Windalco com wrote:
You're right, you'd be better off asking this on a security mailing list, or better yet...on the BIND mailing list.Hi guys. I know this is the SNORT mailing list but i am just wonderingif i could get some help here.
You probably shouldn't be allowing recursive DNS queries from hosts that you don't control.....just good security best practice. Allow your internal clients the ability to do recursive queries and keep external hosts' queries limited to domains that you are authoritative for. You can do this in BIND with the 'allow-recursion' option. Example:I found that my DNS server is being asked to make numerous resolutions of darkprofits.com and darkrpofits.net. None of my internal clients are making these requests. My Sniffer shows me that the requests are being made from outside my network and that my DNS server is making a request for this domain to external hosts. Does anyone know where this may be coming from and how to stop it?
If your network is 192.168.123.0/24 In your named.conf file, put something like: acl recursive-clients{ 192.168.123.0/24; }; options { allow-recursion{ recursive-clients; }; }; That oughta' keep external folks from abusing your nameserver. --Ben ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS server keeps communicating with Darkprofits.net and darkprofits.com Marlon . Richards (Feb 02)
- Re: DNS server keeps communicating with Darkprofits.net and darkprofits.com Sean Lazar (Feb 02)
- Re: DNS server keeps communicating with Darkprofits.net and darkprofits.com Ben Nelson (Feb 03)
- <Possible follow-ups>
- RE: DNS server keeps communicating with Darkprofits.net and darkprofits.com Grime, Richard S (Feb 03)