Hi,
In past days I noticed the nxdomain statistics in
named.stats keeps increasing.( I run it every 5 min)
By tcpdump, it's found a remote computer keep asking
address for record like
999d38e693b9e6293b450.0existence.com,
60d38e693b9e6293b450.0be6c1xfa.net.
is that a virus affacted computer?
How could such request be filtered or minimize its
affaction on DNS server?
regards
Joe
Joe Shen wrote:
Hi,
In past days I noticed the nxdomain statistics in
named.stats keeps increasing.( I run it every 5 min)By tcpdump, it's found a remote computer keep asking
address for record like
999d38e693b9e6293b450.0existence.com,
60d38e693b9e6293b450.0be6c1xfa.net.is that a virus affacted computer?
How could such request be filtered or minimize its
affaction on DNS server?
Either this is a DDoS (woohoo!! I used the forbidden word) or you are
seeing a botnet trying to connect and putting in some smoke-screen while
at it to try and poison dns-top.
I'd suggest dropping requests for domains you don't hold.
Gadi.
Sure looks like some kind of massmailer trojan, or a affiliate program
based spam sending software like Atriks.
These two domains you quoted have rather interesting whois records,
particularly 0existence.com ..
Domain Name.......... 0existence.com
Creation Date........ 2004-10-23
Registration Date.... 2004-10-23
Expiry Date.......... 2009-10-23
Organisation Name.... William Peter
Organisation Address. 52 THIRD AVENUE
Organisation Address.
Organisation Address. Woonsocket
Organisation Address. 02895
Organisation Address. RI
Organisation Address. UNITED STATES
Admin Name........... William Peter
Admin Address........ 52 THIRD AVENUE
Admin Address........
Admin Address........ Woonsocket
Admin Address........ 02895
Admin Address........ RI
Admin Address........ UNITED STATES
Admin Email.......... doi.looklikeafucktardtoyou@0existence.com
Admin Phone.......... +1.4067672231
Admin Fax............
Tech Name............ Existence Corporation
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... doi.looklikeafucktardtoyou@0existence.com
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
At 12:41 PM +0400 2005-05-12, Gadi Evron quoted Joe Shen:
How could such request be filtered or minimize its
affaction on DNS server?Either this is a DDoS (woohoo!! I used the forbidden word) or you are
seeing a botnet trying to connect and putting in some smoke-screen while
at it to try and poison dns-top.I'd suggest dropping requests for domains you don't hold.
That's kind of hard to do if you're running a recursive/caching nameserver.
Well.. are you running a recursive/caching nameserver for everybody on the
internet to use, or only for your customers? If the request isn't from
inside your address space, and it's a "recursion requested" for a zone you
don't hold, maybe they're asking the wrong DNS server.
(And yes, I know that if you have a roaming user who's outside your address
space but has hard-coded your DNS IP's in their resolv.conf, it gets trickier.
The right answer here depends on your customer base.)
It's often suggested that you have *two* DNS setups - one that only answers
requests from inside for recursion and caching, and an authoritative one that
faces out and refuses to recurse. The inside one will cache the outside one
fast enough in most environments. (No, this doesn't stop all the possible DNS
malfeasance, but it certainly raises the bar a good chunk...)
The original question from Joe Shen said that a remote computer was asking questions about certain servers, but did not specify whether or not the "remote computer" in question was a customer. Gadi's response was to refuse to answer requests for domains that you don't own, which didn't address the issue of whether or not the "remote computer" was a customer, or what kind of server that Joe was running.
Your answer is the complete and correct one, at least for the technical issue of how you should br running your nameservers so that you avoid external abuse and reduce the probability of having your DNS servers compromised.
It's taken us a while to get to this correct and complete answer, however.
Tunneling IP over DNS - Dan Kaminsky's ozymandns project.
One source of really strange DNS packets I've seen is Dan Kaminsky's
experiments with tunneling IP over DNS , which he presented at
Codecon, Defcon, and other places. Dan has often done Really Twisted
Things With Packets, and once you've already tunneled IP though HTTP,
it's time to do something a bit more aggressive. His first
implementations were relatively straightforward, good enough for using
SSH and email from the DNS servers on random wireless access points
without needing to log in, but they weren't really high performance.
The work he demonstrated at Codecon 2005 was able to do
high-performance streaming video over DNS, which required spreading
the data stream over tens of thousands of DNS servers. It was quite
impressive, in a this-is-seriously-wrong kind of way.
Perhaps somebody's running something like that somewhere near you.