Find the answer to your Linux question:
Results 1 to 7 of 7
As of a couple of days ago our bind server is sending tons of dns lookups to this IP address 192.5.6.30. All of our outbound traffic goes through a cisco ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2010
    Posts
    2

    Bind server hacked not sure?


    As of a couple of days ago our bind server is sending tons of dns lookups to this IP address 192.5.6.30. All of our outbound traffic goes through a cisco asa botnet filter. The botnet filter identified this as a malware site. I can't determine that, its registered to VeriSign Global Registry Services and its not showing up on any spam databases.

    So why is my bind server hammering this one IP address with dns lookups?

  2. #2
    Linux Engineer
    Join Date
    Mar 2005
    Location
    Where my hat is
    Posts
    766
    LOL! That IP address points to the top level domain servers.

    canonical name a.gtld-servers.net.
    aliases
    addresses 192.5.6.30
    Domain Whois record

    Queried whois.internic.net with "dom gtld-servers.net"...

    Domain Name: GTLD-SERVERS.NET
    Registrar: NETWORK SOLUTIONS, LLC.
    Whois Server: whois.networksolutions.com
    Referral URL: Domain Names, Web Hosting and Online Marketing Services | Network Solutions
    Name Server: A2.NSTLD.COM
    Name Server: C2.NSTLD.COM
    Name Server: D2.NSTLD.COM
    Name Server: E2.NSTLD.COM
    Name Server: F2.NSTLD.COM
    Name Server: G2.NSTLD.COM
    Name Server: H2.NSTLD.COM
    Name Server: L2.NSTLD.COM

    I'd be checking to see why your filter is flagging a top level domain sever as a malware site.
    Registered Linux user #384279
    Vector Linux SOHO 7

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Have you tried to capture any packets and see what is being requested and what is being sent? I'm going to say this looks like some sort of DoS or DDoS and your server is being used. Someone is looking to shut down the root servers. Little do they know it isn't that easy.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. #4
    Just Joined!
    Join Date
    Mar 2010
    Posts
    1

    Botnet Traffic

    I am running into the same stuff on our ASA. The root name servers a.gtld appears to be the destination. I have built some access lists to block the other usual suspects but this one, being a root name server I am hesitant to block. I am going to look into this a bit more. If I learn anything of use I will post it.

  5. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    The question becomes are you sending queries to the root server or is the root server querying you? If you are sending queries to the root server then you need to block who is querying your server so much.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #6
    Just Joined!
    Join Date
    Mar 2010
    Posts
    2
    I'm opened an incident to cisco about this. They have confirmed the ip address is in there botnet database but have yet to give me a reason on why its in there. I've blocked the traffic going outbound so it has to be initiated from my end.

    I've actually seeing this on both of our dns servers. I'm not sure what to make of this, I don't know bind well enough to know what to look for.

  7. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Do you allow recursion form outside your network?
    If so then you should really be locking this down.
    Only allow recursion from within the network.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •