Dear Sir,
For checking the source port randomness of your DNS please refer to below website tool. https://www.dns-oarc.net/oarc/services/dnsentropy Regards Manager(Internet-Systems) MTNL Delhi -----Original Message----- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of bind-users-requ...@lists.isc.org Sent: Wednesday, July 27, 2016 7:28 PM To: bind-users@lists.isc.org Subject: bind-users Digest, Vol 2448, Issue 2 Send bind-users mailing list submissions to bind-users@lists.isc.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.isc.org/mailman/listinfo/bind-users or, via email, send a message with subject or body 'help' to bind-users-requ...@lists.isc.org You can reach the person managing the list at bind-users-ow...@lists.isc.org When replying, please edit your Subject line so it is more specific than "Re: Contents of bind-users digest..." Today's Topics: 1. RE: outgoing-traffic (Abdul Khader) 2. RE: outgoing-traffic (Abdul Khader) 3. Re: outgoing-traffic (S Carr) 4. RE: outgoing-traffic (Ejaz) 5. RE: outgoing-traffic (Tony Finch) 6. RE: outgoing-traffic (Ejaz) 7. Re: outgoing-traffic (S Carr) ---------------------------------------------------------------------- Message: 1 Date: Wed, 27 Jul 2016 16:04:20 +0400 From: Abdul Khader <akha...@ies.etisalat.ae> To: Ejaz <me...@cyberia.net.sa>, 'S Carr' <sjc...@gmail.com> Cc: bind-users@lists.isc.org Subject: RE: outgoing-traffic Message-ID: <1rbvvxed9l9m1vf2w9ty4v34.1469621060...@email.android.com> Content-Type: text/plain; charset=utf-8 You can use tcpdump on your DNS server to take the trace. Command would be like below. tcpdump -i any port 53 -w trace.pcap You can share trace.pcap with us. Regards Abdul Khader Ejaz <me...@cyberia.net.sa> wrote: > >Thanks you. > >The traffic will go to router which is handled by the Network dept. The fear that may router can crash if we start enabling the packet capture since it is layer 7. > >Is advisable, if we deny outbound UDP port 0 from the DNS servers, after enabling firewall. > > >Ejaz > >-----Original Message----- >From: S Carr [mailto:sjc...@gmail.com] >Sent: Wednesday, July 27, 2016 10:51 AM >To: Ejaz <me...@cyberia.net.sa> >Cc: bind-users <bind-users@lists.isc.org> >Subject: Re: outgoing-traffic > >On 27 July 2016 at 08:41, Ejaz <me...@cyberia.net.sa> wrote: >> Thanks for all. >> >> But the strange thing is that if the request comes on 53 port then it >> should go only from 53 is it?? Why goes out from 0, any clue would be >> highly appreciate. >> >> Regards >> Ejaz > >Where's the packet capture to review? > >_______________________________________________ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users ------------------------------ Message: 2 Date: Wed, 27 Jul 2016 16:51:02 +0400 From: Abdul Khader <akha...@ies.etisalat.ae> To: Ejaz <me...@cyberia.net.sa>, 'S Carr' <sjc...@gmail.com> Cc: bind-users@lists.isc.org Subject: RE: outgoing-traffic Message-ID: <23iajc73wkjxjadvv3sa0dsa.1469623862...@email.android.com> Content-Type: text/plain; charset=utf-8 Did not find any attachment. Ejaz <me...@cyberia.net.sa> wrote: >Thank you so much Abdul for you instant support. > >As requested, Find the attached. > > >Ejaz >-----Original Message----- >From: akha...@ies.etisalat.ae [mailto:akha...@ies.etisalat.ae] >Sent: Wednesday, July 27, 2016 3:04 PM >To: Ejaz <me...@cyberia.net.sa>; 'S Carr' <sjc...@gmail.com> >Cc: bind-users@lists.isc.org >Subject: RE: outgoing-traffic > >You can use tcpdump on your DNS server to take the trace. > >Command would be like below. > >tcpdump -i any port 53 -w trace.pcap > >You can share trace.pcap with us. > >Regards >Abdul Khader > >Ejaz <me...@cyberia.net.sa> wrote: > >> >>Thanks you. >> >>The traffic will go to router which is handled by the Network dept. The fear that may router can crash if we start enabling the packet capture since it is layer 7. >> >>Is advisable, if we deny outbound UDP port 0 from the DNS servers, after enabling firewall. >> >> >>Ejaz >> >>-----Original Message----- >>From: S Carr [mailto:sjc...@gmail.com] >>Sent: Wednesday, July 27, 2016 10:51 AM >>To: Ejaz <me...@cyberia.net.sa> >>Cc: bind-users <bind-users@lists.isc.org> >>Subject: Re: outgoing-traffic >> >>On 27 July 2016 at 08:41, Ejaz <me...@cyberia.net.sa> wrote: >>> Thanks for all. >>> >>> But the strange thing is that if the request comes on 53 port then it >>> should go only from 53 is it?? Why goes out from 0, any clue would be >>> highly appreciate. >>> >>> Regards >>> Ejaz >> >>Where's the packet capture to review? >> ------------------------------ Message: 3 Date: Wed, 27 Jul 2016 14:19:10 +0100 From: S Carr <sjc...@gmail.com> To: Ejaz <me...@cyberia.net.sa> Cc: bind-users <bind-users@lists.isc.org> Subject: Re: outgoing-traffic Message-ID: <calmep05kznfmwhu+sxlqzw_i1tw3v3tnshnau1my38ttoxg...@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 On 27 July 2016 at 13:33, Ejaz <me...@cyberia.net.sa> wrote: > Thank you so much Abdul for you instant support. > > As requested, Find the attached. So the 3 IPs (212.118.122.99-101) are continuously sending ANY requests for cpsc.gov No responses I can see are going from port 0, they are coming in on 53 and BIND is responding on a random high port The subnet 212.118.122.0/24 appears to be mapped to your company's DNS for reverse lookups and .99 shows that it is supposedly the system mail.electro.com.sa (though the forward lookup does not map to the same as the reverse). It also looks like you are providing a recursive DNS service for these IP addresses, in frame 118047 you respond to the client with an NXDOMAIN response as the query they asked has a random "\r" on it. Are you meant to be providing recursive DNS for these clients? The random "\r" looks to me like something has been scripted (albeit poorly) to run against your systems. As this is probably one of your customers have you tried contacting them to find out why their systems are sending all of these requests? It could be simple misconfiguration or they could have been affected by some malware that's generating DNS noise/attacks. You could look at putting iptables on your Linux box to provide another layer of filtering and block the requests locally, or ask your network team to block those IPs, then wait for the customer to shout. ------------------------------ Message: 4 Date: Wed, 27 Jul 2016 16:44:52 +0300 From: "Ejaz" <me...@cyberia.net.sa> To: "'S Carr'" <sjc...@gmail.com> Cc: "'bind-users'" <bind-users@lists.isc.org> Subject: RE: outgoing-traffic Message-ID: <06f101d1e80d$0f7b9030$2e72b090$@cyberia.net.sa> Content-Type: text/plain; charset="utf-8" Really I appreciate sparing such long time to trace out the problem and sending such detail email. Is there any other security measure from the DNS level to control such attacks. Instead of blocking IP which is either from my linux machine or from my network side. Such as, if someone is sending ANY request , by default it should be denied when users requests for it.. Ejaz -----Original Message----- From: S Carr [mailto:sjc...@gmail.com] Sent: Wednesday, July 27, 2016 4:19 PM To: Ejaz <me...@cyberia.net.sa> Cc: bind-users <bind-users@lists.isc.org> Subject: Re: outgoing-traffic On 27 July 2016 at 13:33, Ejaz <me...@cyberia.net.sa> wrote: > Thank you so much Abdul for you instant support. > > As requested, Find the attached. So the 3 IPs (212.118.122.99-101) are continuously sending ANY requests for cpsc.gov No responses I can see are going from port 0, they are coming in on 53 and BIND is responding on a random high port The subnet 212.118.122.0/24 appears to be mapped to your company's DNS for reverse lookups and .99 shows that it is supposedly the system mail.electro.com.sa (though the forward lookup does not map to the same as the reverse). It also looks like you are providing a recursive DNS service for these IP addresses, in frame 118047 you respond to the client with an NXDOMAIN response as the query they asked has a random "\r" on it. Are you meant to be providing recursive DNS for these clients? The random "\r" looks to me like something has been scripted (albeit poorly) to run against your systems. As this is probably one of your customers have you tried contacting them to find out why their systems are sending all of these requests? It could be simple misconfiguration or they could have been affected by some malware that's generating DNS noise/attacks. You could look at putting iptables on your Linux box to provide another layer of filtering and block the requests locally, or ask your network team to block those IPs, then wait for the customer to shout. ------------------------------ Message: 5 Date: Wed, 27 Jul 2016 14:49:09 +0100 From: Tony Finch <d...@dotat.at> To: Ejaz <me...@cyberia.net.sa> Cc: 'S Carr' <sjc...@gmail.com>, 'bind-users' <bind-users@lists.isc.org> Subject: RE: outgoing-traffic Message-ID: <alpine.deb.2.11.1607271448080.13...@grey.csi.cam.ac.uk> Content-Type: TEXT/PLAIN; charset=US-ASCII Ejaz <me...@cyberia.net.sa> wrote: > > Such as, if someone is sending ANY request , by default it should be > denied when users requests for it.. BIND 9.11 will have a minimal-any option. https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any https://lists.isc.org/pipermail/bind-users/2016-July/097226.html Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Southeast Thames, Dover, Wight, Portland, Plymouth, North Biscay: Westerly or southwesterly 5 or 6. Moderate. Occasional drizzle. Moderate or poor, occasionally good. ------------------------------ Message: 6 Date: Wed, 27 Jul 2016 16:55:41 +0300 From: "Ejaz" <me...@cyberia.net.sa> To: "'Tony Finch'" <d...@dotat.at> Cc: "'S Carr'" <sjc...@gmail.com>, "'bind-users'" <bind-users@lists.isc.org> Subject: RE: outgoing-traffic Message-ID: <070d01d1e80e$92b00390$b8100ab0$@cyberia.net.sa> Content-Type: text/plain; charset="us-ascii" Hello, You mean I need to downgrade my bind to 9.11, as my current version is "BIND 9.9.2-P1" Ejaz -----Original Message----- From: Tony Finch [mailto:d...@dotat.at] Sent: Wednesday, July 27, 2016 4:49 PM To: Ejaz <me...@cyberia.net.sa> Cc: 'S Carr' <sjc...@gmail.com>; 'bind-users' <bind-users@lists.isc.org> Subject: RE: outgoing-traffic Ejaz < <mailto:me...@cyberia.net.sa> me...@cyberia.net.sa> wrote: > > Such as, if someone is sending ANY request , by default it should be > denied when users requests for it.. BIND 9.11 will have a minimal-any option. <https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any <https://lists.isc.org/pipermail/bind-users/2016-July/097226.html> https://lists.isc.org/pipermail/bind-users/2016-July/097226.html Tony. -- f.anthony.n.finch < <mailto:d...@dotat.at> d...@dotat.at> <http://dotat.at/> http://dotat.at/ - I xn--zr8h punycode Southeast Thames, Dover, Wight, Portland, Plymouth, North Biscay: Westerly or southwesterly 5 or 6. Moderate. Occasional drizzle. Moderate or poor, occasionally good. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160727/9864309f/at tachment-0001.html> ------------------------------ Message: 7 Date: Wed, 27 Jul 2016 14:57:34 +0100 From: S Carr <sjc...@gmail.com> To: Ejaz <me...@cyberia.net.sa> Cc: bind-users <bind-users@lists.isc.org> Subject: Re: outgoing-traffic Message-ID: <calmep04fbzzugz-fsy+ubgt+mosvzf0gzy_m8iu4fwwf_4t...@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 On 27 July 2016 at 14:44, Ejaz <me...@cyberia.net.sa> wrote: > Such as, if someone is sending ANY request , by default it should be denied when users requests for it.. Denying the request isn't going to solve anything in this case, they are still going to repeatedly ask for it and the traffic has already hit your system before ANY queries would be denied. ------------------------------ Subject: Digest Footer _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ------------------------------ End of bind-users Digest, Vol 2448, Issue 2 ******************************************* _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
