Re: Script-kiddie / client query (cache) '/MX/IN' denied

Wed, 11 Aug 2010 18:38:31 -0700 

In article <mailman.245.1280910538.15649.bind-us...@lists.isc.org>,
 Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:

> On 03.08.10 18:01, Denis BUCHER wrote:
> > I have a question, it's not really a big problem, but it's annoying.
> >
> > In the logs I get plenty of lines like :
> >> client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 Time(s)
> >> client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 Time(s)
> >> client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s)
> >> client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: 1 
> >> Time(s)
> >> client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 
> >> Time(s)
> >> client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s)
> >> client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: 1 
> >> Time(s)
> >> client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 
> >> Time(s)
> >> client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s)
> >> client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 
> >> Time(s)
> >> client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 
> >> Time(s)
> >> client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 
> >> Time(s)
> >> client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 
> >> Time(s)
> >> client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 
> >> Time(s)
> >> client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s)
> >> client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s)
> >
> > This seems to be due to a script-kiddie.
> 
> I don't think so. It may be someone who used your server when connected to
> your network and didn't change resolvers list after, someone who mistyped
> IP address, or someone who guessed that your server might provide recursive
> DNS for him (because of any reason).

Did you notice that the requests are in alphabetical order?  That's a 
strong indication that this is some kind of scan going on.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to