Thanks all.
No this IP 212.76.76.18 doesn’t belongs to us and even not in a trusted list of our DNS. After looking at my logs I noticed this IP asked for this domain mumbai-m.site to which our name server denied as shown in the below logs. Whereas our NCSA claiming that massive malicious requests from our dns. Just I want to understand how is this possible massive attack towards the internet for deny requests. Thanks in advance for any explanation. Dec 17 12:21:02 ns10 named[27539]: client @0x7f15305e6c90 212.119.73.60#17378 (67176500004C4C4544004EB007.mumbai-m.site): query: 67176500004C4C4544004EB007.mumbai-m.site IN A +E(0)D (212.119.64.2) Dec 17 12:21:02 ns10 named[27539]: client @0x7f1598233f50 212.76.76.18#60568 (128076363500004C4C4544004EB007.mumbai-m.site): query: 128076363500004C4C4544004EB007.mumbai-m.site IN A +E(0)D (212.119.64.2) Dec 17 12:21:02 ns10 named[27539]: client @0x7f1598233f50 212.76.76.18#60568 (128076363500004C4C4544004EB007.mumbai-m.site): query (cache) '128076363500004C4C4544004EB007.mumbai-m.site/A/IN' denied Dec 17 12:21:02 ns10 named[27539]: client @0x7f1598233f50 212.76.76.18#60568 (128076363500004C4C4544004EB007.mumbai-m.site): query failed (REFUSED) for 128076363500004C4C4544004EB007.mumbai-m.site/IN/A at query.c:6896 Dec 17 12:21:32 ns10 named[27539]: client @0x7f15942605b0 212.119.73.60#32691 (5289874000004C4C4544004EB007.mumbai-m.site): query: 5289874000004C4C4544004EB007.mumbai-m.site IN A +E(0)D (212.119.64.2) Dec 17 12:21:32 ns10 named[27539]: client @0x7f15b413f3a0 212.119.73.60#14605 (625322603100004C4C4544004EB007.mumbai-m.site): query: 625322603100004C4C4544004EB007.mumbai-m.site IN A +E(0)D (212.119.64.2) Dec 17 12:22:02 ns10 named[27539]: client @0x7f15aa1e8320 212.119.73.60#50861 (43738300004C4C4544004EB007.mumbai-m.site): query: 43738300004C4C4544004EB007.mumbai-m.site IN A +E(0)D (212.119.64.2) Dec 17 12:22:32 ns10 named[27539]: client @0x7f159427fc30 212.76.76.18#34089 (8129188700004C4C4544004EB007.mumbai-m.site): query: 8129188700004C4C4544004EB007.mumbai-m.site IN A +E(0)D (212.119.64.2) Dec 17 12:22:32 ns10 named[27539]: client @0x7f159427fc30 212.76.76.18#34089 (8129188700004C4C4544004EB007.mumbai-m.site): query (cache) '8129188700004C4C4544004EB007.mumbai-m.site/A/IN' denied From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Sten Carlsen Sent: Monday, December 18, 2017 8:16 PM To: bind-users@lists.isc.org Subject: Re: DNS-Format-Eroor Hi Don't forget that any traffic may be spam, also the reject messages if they are directed towards the victim. I think this is how it works here: a large number of hosts send requests to your server for some domain. All these requests have a fake sender: IP 212.76.76.18, this means that all those reject messages come to that IP even he never asked one question himself. What you should do for the poor guy is to stop any reply going to that address, probably easier to do in a firewall with a temporary rule. On 18/12/2017 14:54, Mohammed Ejaz wrote: Thank you for the detail explanation really appreciated . We have asked by our National cyber Security Center to investigate on this, as they have detected massive malicious requests from our DNS servers which are ( 212.119.64.2 and 212.119.64.3). Malicious domain is mumbai-m.site which linked to dns-bot campaign, this campaign uses DNS tunneling for exchanging messages transferring files, executing commands through dns protocol Malicious IPS are 1.2.3.4 11.24.237.110 46.105.221.247 but when i checked my name server logs request comes from single IP 212.76.76.18 asked for this domain and my server gets refused their request since this IP doesn't belongs to us as I have ACLs in placed in named.conf. Now I am bit confused since the query gets rejected, how come our national cyber security center can claim that there were malicious massive traffic from our DNS server to the internet world. Any explanations would be highly appreciated. Thanks in advance. Ejaz -----Original Message----- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark Elkins Sent: Monday, December 18, 2017 1:58 PM To: bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> Subject: Re: DNS-Format-Eroor $ dig mumbai-m.site ns ; <<>> DiG 9.11.1-P3 <<>> mumbai-m.site ns ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;mumbai-m.site. IN NS ;; ANSWER SECTION: MUMBAI-M.site. 3380 IN NS win-1ikkrphg9jj. I seemed to have cached only one nameserver - which does not make operational sense - neither does the name I've cached. $ dig mumbai-m.site aaaa ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;mumbai-m.site. IN AAAA ;; AUTHORITY SECTION: MUMBAI-M.SITE. 3473 IN SOA win-1ikkrphg9jj. hostmaster. 4 900 600 86400 3600 The Zone looks like its not set up properly.. the admin has added dots where they should not have... The "win" and Serial No. of "4" suggests to me that this is a windows machine, and as both nameservers are on the same IP, the adminstrator is in need of some DNS training.. As for your errors, I'd guess you may run IPv6 but this person doesn't appear to as asking for the Quad-A record returns the SOA (you got to the right place but there is no answer to your question) In summary - the administrator of MUMBAI-M.SITE has a broken zone configuration. Doing a "whois MUMBAI-M.SITE", seems they are hiding behind "whoisguard.com" to remain anonymous - which suggests they have something to hide. I don't get the vibe that this domain is owned by a child or someone who needs protection from the evilness of the Internet... On 18/12/2017 11:26, Reindl Harald wrote: > > > Am 18.12.2017 um 10:16 schrieb Mohammed Ejaz: >> Hello, >> >> I have several entries as below in my name server logs. Would any >> one please assist me to knowing the exact reason of this, >> >> Also this IP 46.105.221.247 not in my trusted list. > > no, but it's the auth-nameserver of that domain operatd by another > fool which thinks the requirement for 2 nameservers is just for fun > > i guess you have a inbound mailserver using your nameserver which logs > the warning... > > [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup MUMBAI-M.SITE > Server: 127.0.0.1 > Address: 127.0.0.1#53 > > Non-authoritative answer: > Name: MUMBAI-M.SITE > Address: 46.105.221.247 > > [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup NS1.MUMBAI-M.SITE > Server: 127.0.0.1 > Address: 127.0.0.1#53 > > Non-authoritative answer: > Name: NS1.MUMBAI-M.site > Address: 46.105.221.247 > > [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup NS2.MUMBAI-M.SITE > Server: 127.0.0.1 > Address: 127.0.0.1#53 > > Non-authoritative answer: > Name: NS2.MUMBAI-M.SITE > Address: 46.105.221.247 > >> Dec 17 05:35:39 ns20 named[1530]: DNS format error from >> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no >> answer >> >> Dec 17 05:35:40 ns20 named[1530]: DNS format error from >> 46.105.221.247#53 resolv >> ing ns2.mumbai-m.site/AAAA: >> reply has no answer >> >> Dec 17 09:43:46 ns20 named[1530]: DNS format error from >> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no >> answer >> >> Dec 17 09:43:46 ns20 named[1530]: DNS format error from >> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no >> answer >> >> Dec 17 09:47:41 ns20 named[1530]: DNS format error from >> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no >> answer >> >> Dec 17 09:47:41 ns20 named[1530]: DNS format error from >> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no >> answer >> >> Dec 17 09:48:41 ns20 named[1530]: DNS format error from >> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no >> answer >> >> Dec 17 09:48:41 ns20 named[1530]: DNS format error from >> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no >> answer >> >> Dec 17 09:52:39 ns20 named[1530]: DNS format error from >> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no >> answer >> >> Dec 17 09:52:39 ns20 named[1530]: DNS format error from >> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no >> answer >> >> Dec 17 09:55:52 ns20 named[1530]: DNS format error from >> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no >> answer >> >> Dec 17 09:55:52 ns20 named[1530]: DNS format error from >> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no >> answer >> >> Dec 17 09:58:41 ns20 named[1530]: DNS format error from >> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/AAAA: reply has no >> answer >> >> Dec 17 09:58:41 ns20 named[1530]: DNS format error from >> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/AAAA: reply has no >> answer >> >> Thanks, >> >> Mohammed Ejaz >> >> Asst. Operation Director of Systems. >> >> Cyberia SAUDI ARABIA >> >> P.O.Box: 301079, Riyadh 11372 >> >> Phone: (+966) 11 464 7114 Ext. 140 >> >> Mobile: (+966) 562311787 >> >> Fax: (+966) 11 465 4735 >> >> Website: <http://www.cyberia.net.sa> http://www.cyberia.net.sa > _______________________________________________ > Please visit <https://lists.isc.org/mailman/listinfo/bind-users> > https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > <mailto:bind-users@lists.isc.org> bind-users@lists.isc.org > <https://lists.isc.org/mailman/listinfo/bind-users> > https://lists.isc.org/mailman/listinfo/bind-users -- Mark James ELKINS - Posix Systems - (South) Africa <mailto:m...@posix.co.za> m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: <https://ftth.posix.co.za> https://ftth.posix.co.za _______________________________________________ Please visit <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list <mailto:bind-users@lists.isc.org> bind-users@lists.isc.org <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!"
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
