Hi Dan, why should they query you?
Do you run a resolver? If they are querying a wordbook out of your stomach they might send the answers just as well - trying to poison your cache. They are after google and googlemail. I guess they want to capture your clients emails or passwords for their email accounts. Harvesting email accounts for spamming. Maybe they want to capture their browsers as well - tricking people to install ratware. The bot querying need not be the same as the bots sending faked answers. Kind regards Peter Gushi wrote: > This isn't a request for help so much as a story for anyone else who's > seeing similar things: > > Okay, > > I have logwatch set up on my cobalt raq3. > > Logwatch is cool. It emails you everything in the logfiles, you define > great regular expressions as to what's harmless noise, and keep going > till it's only the critical stuff that you get. > > I just got a mail FULL of the following: > > client 123.17.150.226 query (cache) 'mail.peregrinehw.com/A/IN' > denied: 1 Time(s) > client 123.18.118.42 query (cache) 'ALT1.ASPMX.L.GOOGLE.com/A/IN' > denied: 1 Time(s) > client 123.18.118.42 query (cache) 'ALT2.ASPMX.L.GOOGLE.com/A/IN' > denied: 1 Time(s) > client 123.18.118.42 query (cache) 'ASPMX.L.GOOGLE.com/A/IN' denied: 1 > Time(s) > client 123.18.118.42 query (cache) 'ASPMX2.GOOGLEMAIL.com/A/IN' > denied: 1 Time(s) > client 123.18.118.42 query (cache) 'ASPMX3.GOOGLEMAIL.com/A/IN' > denied: 1 Time(s) > client 123.18.118.42 query (cache) 'ASPMX4.GOOGLEMAIL.com/A/IN' > denied: 1 Time(s) > client 123.18.118.42 query (cache) 'ASPMX5.GOOGLEMAIL.com/A/IN' > denied: 1 Time(s) > client 123.19.213.68 query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN' > denied: 1 Time(s) > client 123.19.213.68 query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN' > denied: 1 Time(s) > client 123.19.213.68 query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied: 1 > Time(s) > client 123.19.213.68 query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN' > denied: 1 Time(s) > client 123.19.213.68 query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN' > denied: 1 Time(s) > client 123.19.213.68 query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN' > denied: 1 Time(s) > client 123.19.213.68 query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN' > denied: 1 Time(s) > client 123.19.59.189 query (cache) 'mail.peregrinehw.com/A/IN' denied: > 1 Time(s) > client 123.19.99.134 query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN' > denied: 1 Time(s) > client 123.19.99.134 query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN' > denied: 1 Time(s) > client 123.19.99.134 query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied: 1 > Time(s) > client 123.19.99.134 query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN' > denied: 1 Time(s) > client 123.19.99.134 query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN' > denied: 1 Time(s) > client 123.19.99.134 query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN' > denied: 1 Time(s) > client 123.19.99.134 query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN' > denied: 1 Time(s) > > So after I dig around for a bit (no pun intended), I realize. > > What I'm looking at is a whole bunch of terribly broken DNS > implementations. DNS implementations that bypass a host's DNS entry, > and directly query ME instead of looking something up directly. > > All the domains above are A records (address records) that are pointed > to by MX (mail exchanger) records. I host sites that use those MXes, > but I don't host (obviously) googlemail.com. > > Okay, so I know why this is happening. It's mostly harmless. > > My options: > > 1) Tune logwatch so I don't get these. > > 2) Tune BIND so it doesn't log these hits. > > 3) Use this information to feed a real-time blacklist -- it's fairly > easy to write the parser but from the looks of it, most of these IPs > are already on RBL's I use (spamhaus PBL, CBL). > > 4) Find a way (as recursive as this sounds) to block queries to my DNS > server, based on this blacklist. I don't think BIND supports such a > feature. > > Any comments? > > -Dan -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] http://www.peter-dambier.de/ http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
