On Wed, Jan 11, 2012 at 12:11 PM, babu dheen <babudh...@yahoo.co.in> wrote: > > Hi, > > I enabled the logs in DNS server and i found below lines from this client > continiously.. > > 1/10/2012 9:14:30 AM 0FDC PACKET 0000000005B489B0 UDP Snd <Client IP> > 1f23 Q [0005 A D NOERROR] TXT (7)version(4)bind(0) > 1/10/2012 9:14:30 AM 0FDC PACKET 0000000007342360 UDP Rcv <Client IP> > c63c Q [0005 A D NOERROR] TXT (7)version(4)bind(0) > 1/10/2012 9:14:30 AM 0FDC PACKET 0000000007342360 UDP Snd <Client IP> > c63c Q [0005 A D NOERROR] TXT (7)version(4)bind(0) > 1/10/2012 9:14:30 AM 0FDC PACKET 0000000004D728F0 UDP Rcv <Client IP> > a96a Q [0005 A D NOERROR] TXT (7)version(4)bind(0) >
What log is this? AFAIK BIND log does not look like this. Is this firewall log? > Is it something to do with Malticast DNS. ... and how did you determine that? wild guess? > Can you give me more details about Multicast DNS Try google, although I don't think that's your problem. It might simply be the case that the client is infected with virus/malware which targets vulnerability in certain versions of bind, so it'd make sense that it first sends out a DNS query that asks for bind version number (e.g. http://www.brandonhutchinson.com/Determining_hiding_BIND_version_number.html) Some things you might be able to do: - setup a firewall rule that can ratelimit udp packets from any client (e.g. iptables can do this) - make sure your bind versions is up-to-date (well, it's true for any other software) - configure named.conf not to show it's version (use Google or bind manual to find out how) With those three steps in place, it shouldn't matter what queries the client does, as the system will either ignore it, reply with useless information, or automatically block it. However, if it still cause problems (e.g. lots of UDP traffic eat up your bandwitdh), then simply block the client manually. -- Fajar _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
