..and so he turned his attention to DNS

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1875

So I spent the day playing with DNS and in so doing noticed some interesting things appearing in the logs on one of our DNS servers.

Interesting item 1

Take a look at this:

Code:

May 11 23:05:18 dns2 named[16155]: client 88.81.254.216#35370: query (cache) 'GOnredactedWyHOmES.CO.UK/NS/IN' denied
May 11 23:05:18 dns2 named[16155]: client 88.81.254.216#25424: query (cache) 'GOnredactedWyHOmES.CO.uk/MX/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#53622: query (cache) 'gOnredactedWYhOMeS.Co.uK/NS/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#12085: query (cache) 'gOnredactedwYhomES.co.UK/MX/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#22181: query (cache) 'goNredactedwyhoMeS.cO.uK/MX/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#18947: query (cache) 'GONredactedWYHOmEs.CO.Uk/NS/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#65308: query (cache) 'GOnredactedwYhOMes.Co.UK/NS/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#44400: query (cache) 'GonredactedWyHoMEs.CO.Uk/MX/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#44754: query (cache) 'GONredactedwyHOMEs.Co.uk/NS/IN' denied
May 11 23:05:19 dns2 named[16155]: client 88.81.254.216#22521: query (cache) 'goNredactedwyhoMES.co.UK/MX/IN' denied
May 11 23:05:22 dns2 named[16155]: client 88.81.254.216#51069: query (cache) 'gONredactedwYHOmEs.co.uk/MX/IN' denied
May 11 23:05:22 dns2 named[16155]: client 88.81.254.216#27400: query (cache) 'gONredactedWyHOmes.Co.Uk/MX/IN' denied
May 11 23:05:22 dns2 named[16155]: client 88.81.254.216#64282: query (cache) 'GOnredactedwYhomES.co.Uk/MX/IN' denied
May 11 23:05:22 dns2 named[16155]: client 88.81.254.216#47958: query (cache) 'GoNredactedwyhOmes.co.UK/MX/IN' denied
May 11 23:05:22 dns2 named[16155]: client 88.81.254.216#55543: query (cache) 'gOnredactedwyhOMES.Co.Uk/MX/IN' denied

(actual domain name is redacted, just in case)

The domain in question happens not to have any DNS records on our servers, but that's not the issue. Also of only slight interest is that the IP in question is a nameserver in the Ukraine.

What I'm absolutely fascinated about is the strange random distribution of upper and lower case letters. What on earth is that about? What possible gain could there be from doing this to whoever is doing the lookup (and stinks of badness to me)? Domain names are case-insensitive, are they not?

Interesting item 2

Code:

May 11 23:13:18 dns2 named[16155]: client 72.51.107.98#1044: query (cache) 'mx.fakemx.net/A/IN' denied
May 11 23:13:21 dns2 named[16155]: client 187.60.84.211#1039: query (cache) 'tarbaby.junkemailfilter.com/A/IN' denied

I see loads of these in the logs.

Now the above two domains appear in the CNAMEs in the RRs of one or two domains we host. I know they should not be CNAMES ideally but I don't care -- they are useful as they are.

What I'm facinated about here is why our DNS servers are being queried for their A records. The IPs in the examples above smell of dsl connection (one from brazil).

Broken spambot code maybe?

**

Faris.

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1875

Ooh! More interesting things:

Code:

May 12 07:50:56 dns named[26051]: client 85.15.40.198#3340: update 'domain1.com/IN' denied
May 12 11:27:02 dns named[26051]: client 193.0.0.63#59067: zone transfer 'domain2.org/IN' denied

Both domains are hosted on one or other of our servers. The IP addresses in the log entries are nothing to do with us (first one in Iran, the second errr...does not seem to be assigned or something?). So in one case someone is trying to update the domain and in another they are trying to get at all the details with a zone transfer.

Fascinating!

Faris.

diego · **Joined:** Tue Aug 05, 2008 5:01 pm **Posts:** 111

Same here:

Code:

May 13 08:52:03 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'sportdevelopment.org.uk/A/IN' denied
May 13 08:52:11 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'mail1.dns.internetgeeks.co.uk/A/IN' denied
May 13 08:52:12 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'nocb-b1.uar.navy.mil/MX/IN' denied
May 13 08:53:29 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'mailweb.co.za/A/IN' denied
May 13 08:53:33 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'schobh.hawaii.army.mil/MX/IN' denied
May 13 08:54:09 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'ellie.newsquestdigital.co.uk/A/IN' denied
May 13 08:54:25 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'awm.co.za/MX/IN' denied
May 13 08:54:25 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'ashbourneparkcottages.co.uk/MX/IN' denied
May 13 08:54:28 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'archibald6.freeserve.co.uk/MX/IN' denied
May 13 08:54:29 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'ns7.nic.uk/A/IN' denied
May 13 08:54:30 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'headlandhotel.co.uk/MX/IN' denied
May 13 08:54:32 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'armstrong6382.freeserve.co.uk/MX/IN' denied
May 13 08:54:32 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'familyburns.f9.co.uk/MX/IN' denied
May 13 08:54:33 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'arena-pursuits.co.uk/MX/IN' denied
May 13 08:54:33 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'dover.af.mil/MX/IN' denied
May 13 08:56:05 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'mail.1dial.com/A/IN' denied
May 13 08:56:22 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'mfwj086.mfw.is.co.za/MX/IN' denied
May 13 08:56:34 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'mail.supplyanddemand.com.au/A/IN' denied
May 13 08:57:35 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'seoul.hub-m.com/A/IN' denied
May 13 08:57:40 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'transettlements.com/A/IN' denied
May 13 08:57:43 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'hkgms2.hk.starcont.com/MX/IN' denied
May 13 08:57:44 server1 named[2788]: client 59.167.247.57#1039: query (cache) 'gw01-mail.arwobau.de/MX/IN' denied

What are they trying to do?

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1875

Well, in your case I think it is a different thing. It looks to me like they are just trying to use your DNS server to resolve stuff in general for some reason?

At any rate it is all very strange. I don't see the advantage to the bad guys.

..and so he turned his attention to DNS

Who is online