Really I appreciate sparing such long time to trace out the problem and sending such detail email.
Is there any other security measure from the DNS level to control such attacks. Instead of blocking IP which is either from my linux machine or from my network side. Such as, if someone is sending ANY request , by default it should be denied when users requests for it.. Ejaz -----Original Message----- From: S Carr [mailto:sjc...@gmail.com] Sent: Wednesday, July 27, 2016 4:19 PM To: Ejaz <me...@cyberia.net.sa> Cc: bind-users <bind-users@lists.isc.org> Subject: Re: outgoing-traffic On 27 July 2016 at 13:33, Ejaz <me...@cyberia.net.sa> wrote: > Thank you so much Abdul for you instant support. > > As requested, Find the attached. So the 3 IPs (212.118.122.99-101) are continuously sending ANY requests for cpsc.gov No responses I can see are going from port 0, they are coming in on 53 and BIND is responding on a random high port The subnet 212.118.122.0/24 appears to be mapped to your company's DNS for reverse lookups and .99 shows that it is supposedly the system mail.electro.com.sa (though the forward lookup does not map to the same as the reverse). It also looks like you are providing a recursive DNS service for these IP addresses, in frame 118047 you respond to the client with an NXDOMAIN response as the query they asked has a random "\r" on it. Are you meant to be providing recursive DNS for these clients? The random "\r" looks to me like something has been scripted (albeit poorly) to run against your systems. As this is probably one of your customers have you tried contacting them to find out why their systems are sending all of these requests? It could be simple misconfiguration or they could have been affected by some malware that's generating DNS noise/attacks. You could look at putting iptables on your Linux box to provide another layer of filtering and block the requests locally, or ask your network team to block those IPs, then wait for the customer to shout. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
