Thanks Fajr. I will handle it further. Regards Babu --- On Wed, 11/1/12, Fajar A. Nugraha <w...@fajar.net> wrote:
From: Fajar A. Nugraha <w...@fajar.net> Subject: Re: huge count of DNS deny hits To: "babu dheen" <babudh...@yahoo.co.in> Cc: bind-users@lists.isc.org Date: Wednesday, 11 January, 2012, 1:59 PM On Wed, Jan 11, 2012 at 1:27 PM, babu dheen <babudh...@yahoo.co.in> wrote: > > Dear Fajar, > > Below logs taken from Internal DNS server running in Microsoft DNS. Then why did you ask this list instead of contacting MS support? > I checked with client AV status, everything is fine( system is up to date > with DAT from Mcafee AV and no threat found in the complete scan output). > > But really no idea.. why it happens.. Client is pointed to use different DNS > server but DNS flood query is being sent to another DNS server AV doesn't catch all threats. Anyway, from bind's perspective, a dns query asking for bind version is a valid TXT query. But the query can be used by malware, vulnerability scanners, or hackers looking for vulnerable bind versions. In a way, it's similar to ICMP echo (i.e. ping) packets. It's a valid packet, but a lot of virus/malware is using it to determine which neighbour hosts to attack. How do you handle ICMP flood cases? The same mechanism should be applicable in this case. -- Fajar
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
