-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Wed, 2021-04-14 at 12:58 -0400, Paul Kosinski via bind-users wrote: > Interesting, although we host different domains, in and from different > geographic areas, we got the same queries as yours on the same day, > with some at about the same time (we're EDT). > 13-Apr-2021 02:19:58.468 security: info: client 76.20.145.58#3074 > (sl): query (cache) 'sl/ANY/IN' denied > 13-Apr-2021 02:19:58.638 security: info: client 76.20.145.58#3074 > (sl): query (cache) 'sl/ANY/IN' denied
These times are PDT (-0700) Apr 12 23:18:13 ns named[5091]: client @0x7fda540105b8 76.20.145.58#3074 (sl): view normal: query (cache) 'sl/ANY/IN' denied Apr 12 23:18:13 ns named[5091]: client @0x7fda540105b8 76.20.145.58#3074 (sl): view normal: query (cache) 'sl/ANY/IN' denied .... Apr 12 23:19:15 ns named[5091]: client @0x7fda540105b8 76.20.145.58#3074 (sl): view normal: query (cache) 'sl/ANY/IN' denied So either 76.20.145.58, or someone forging that source ip, made queries to servers in (+0000), (-0400), and (-0700) at the same time. Malware running on 76.20.145.58 is one explanation. Would the REFUSED replies carry enough information from the original query to be used as a covert communication channel into something listening on 76.20.145.58? vpn over dns query-refused replies? That seems a bit far-fetched. -----BEGIN PGP SIGNATURE----- iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYHcqsRUcY2FybEBmaXZl LXRlbi1zZy5jb20ACgkQL6j7milTFsEvgACgh6muAlNI6qk99Rd9sLaSp29IESQA njJo7E3ajD0Yw/ja7VOStNhgkxDd =tlQQ -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users