Suspecious DNS traffic

babu dheen Sun, 24 Mar 2013 08:54:24 -0700

Dear,

We have Caching DNS server and certain PTR record(reverse entry verification 
purpose) only is allowed from internet. But I am observing suspicious DNS 
traffic from my BIND caching DNS server towards 
67.215.80.15,67.215.80.13,207.192.69.4,67.227.239.85 IP address  on destination 
port 1033,1090,1743, etc. Since we haven't allowed non standard port from our 
DNS server to public DNS server, its dropped in firewall.


Any idea as to why our company DNS server is contacting external IP on non 
standard port?

 

Below is the logs taken from DNS server on one of the destination IP address.
############################################################################


client 67.215.80.15#58230: view localhost_resolver: query (cache) 
'109.232.12.217.in-addr.arpa/PTR/IN' denied
client 67.215.80.15#18395: view localhost_resolver: query (cache) 
'86.232.12.217.in-addr.arpa/PTR/IN' denied
client 67.215.80.15#34068: view localhost_resolver: query (cache) 
'114.232.12.217.in-addr.arpa/PTR/IN' denied
client 67.227.239.85#20915: view localhost_resolver: query (cache) 
'150.232.12.217.in-addr.arpa/PTR/IN' denied
client 67.227.239.85#64724: view localhost_resolver: query (cache) 
'232.12.217.in-addr.arpa/NS/IN' denied
client 67.227.239.85#16374: view localhost_resolver: query (cache) 
'150.232.12.217.in-addr.arpa/PTR/IN' denied
client 67.227.239.85#30391: view localhost_resolver: query (cache) 
'232.12.217.in-addr.arpa/NS/IN' denied
client 67.227.239.85#17745: view localhost_resolver: query (cache) 
'150.232.12.217.in-addr.arpa/PTR/IN' denied
client 67.227.239.85#36163: view localhost_resolver: query (cache) 
'232.12.217.in-addr.arpa/NS/IN' denied
client 67.227.239.85#6391: view localhost_resolver: query (cache) 
'232.12.217.in-addr.arpa/NS/IN' denied
client 67.227.239.85#37586: view localhost_resolver: query (cache) 
'150.232.12.217.in-addr.arpa/PTR/IN' denied
client 67.227.239.85#55208: view localhost_resolver: query (cache) 
'232.12.217.in-addr.arpa/NS/IN' denied
client 67.227.239.85#40076: view localhost_resolver: query (cache) 
'232.12.217.in-addr.arpa/NS/IN' denied

Below is the firewall logs:
#########################
action=Deny sent=0 rcvd=112 src=our_company_DNS_server_ip dst=67.215.80.15 
src_port=53 dst_port=16529
action=Permit sent=0 rcvd=0 src=67.215.80.15 dst=our_company_DNS_server_ip 
src_port=52370 dst_port=53 


Regards
Babu

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Suspecious DNS traffic

Reply via email to