Results 1 to 7 of 7
As of a couple of days ago our bind server is sending tons of dns lookups to this IP address 192.5.6.30. All of our outbound traffic goes through a cisco ...
- 03-18-2010 #1Just Joined!
- Join Date
- Mar 2010
- Posts
- 2
Bind server hacked not sure?
As of a couple of days ago our bind server is sending tons of dns lookups to this IP address 192.5.6.30. All of our outbound traffic goes through a cisco asa botnet filter. The botnet filter identified this as a malware site. I can't determine that, its registered to VeriSign Global Registry Services and its not showing up on any spam databases.
So why is my bind server hammering this one IP address with dns lookups?
- 03-18-2010 #2Linux Engineer
- Join Date
- Mar 2005
- Location
- Where my hat is
- Posts
- 765
LOL! That IP address points to the top level domain servers.
canonical name a.gtld-servers.net.
aliases
addresses 192.5.6.30
Domain Whois record
Queried whois.internic.net with "dom gtld-servers.net"...
Domain Name: GTLD-SERVERS.NET
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: Domain Names, Web Hosting and Online Marketing Services | Network Solutions
Name Server: A2.NSTLD.COM
Name Server: C2.NSTLD.COM
Name Server: D2.NSTLD.COM
Name Server: E2.NSTLD.COM
Name Server: F2.NSTLD.COM
Name Server: G2.NSTLD.COM
Name Server: H2.NSTLD.COM
Name Server: L2.NSTLD.COM
I'd be checking to see why your filter is flagging a top level domain sever as a malware site.Registered Linux user #384279
Vector Linux SOHO 6 / Vector Linux 7 RC 3.4
- 03-19-2010 #3Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,281
Have you tried to capture any packets and see what is being requested and what is being sent? I'm going to say this looks like some sort of DoS or DDoS and your server is being used. Someone is looking to shut down the root servers. Little do they know it isn't that easy.
- 03-23-2010 #4Just Joined!
- Join Date
- Mar 2010
- Posts
- 1
Botnet Traffic
I am running into the same stuff on our ASA. The root name servers a.gtld appears to be the destination. I have built some access lists to block the other usual suspects but this one, being a root name server I am hesitant to block. I am going to look into this a bit more. If I learn anything of use I will post it.
- 03-24-2010 #5Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,281
The question becomes are you sending queries to the root server or is the root server querying you? If you are sending queries to the root server then you need to block who is querying your server so much.
- 03-24-2010 #6Just Joined!
- Join Date
- Mar 2010
- Posts
- 2
I'm opened an incident to cisco about this. They have confirmed the ip address is in there botnet database but have yet to give me a reason on why its in there. I've blocked the traffic going outbound so it has to be initiated from my end.
I've actually seeing this on both of our dns servers. I'm not sure what to make of this, I don't know bind well enough to know what to look for.
- 03-27-2010 #7Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,281
Do you allow recursion form outside your network?
If so then you should really be locking this down.
Only allow recursion from within the network.
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts