[dnsdist] dns-spider

Aleš Rygl ales at rygl.net
Mon Jul 11 08:09:18 UTC 2016 

  

Hi dnsdist users. 

I would like to share a little finding with
you. We have been suffering from pseudorandom subdomain attacks fo more
than two years mainly because openresolvers in crappy CPEs of our
customers. While analyzing the DNS traffic using topResponses in dnsdist
(thanks!) I have noticed that there is an non negligible amount of
queries like this: 

89.24.226.150 -> 93.153.117.1 DNS 131 Standard
query 0x45f8 A
13070798-0-2081296634-622260844.ns.124-14-16-250-ns.dns-spider.myxns.cn

89.24.226.150 -> 93.153.117.1 DNS 130 Standard query 0x57f7 A
7231664-0-1896986649-671701647.ns.113-17-184-25-ns.dns-spider.myxns.cn

89.24.226.150 -> 93.153.117.1 DNS 130 Standard query 0x9c0c A
7231664-0-1896986649-671701647.ns.113-17-184-25-ns.dns-spider.myxns.cn


46.13.117.67 -> 93.153.117.1 DNS 130 Standard query 0x08fd A
2434136-0-3661366674-4096880849.ns.218-60-5-146-ns.dns-spider.myxns.cn
46.13.117.67
-> 93.153.117.1 DNS 130 Standard query 0xf473 A
2434136-0-3661366674-4096880849.ns.218-60-5-146-ns.dns-spider.myxns.cn


They are coming from clients wit openresolvers. I supposed that this
traffic is malicious and it nothing what would a real user created by
browsing web pages, etc. I have created rules dropping such traffic:


addAction(RegexRule("dns-spider.*\.cn$"),
DropAction())
addAction(RegexRule("dns-spider.*\.net$"),
DropAction())
addAction(RegexRule("dns-spider.*\.org$"),
DropAction())
addAction(RegexRule("dns-spider.*\.com$"), DropAction())


I have more than 100k hits per day for the first rule and thousands
for the second one. To my surprise the pseudorandom subdomain attack
stopped since the rules are installed! And it last more than two months.
My idea is that some bad guys are using specially crafted queries above
to detect openresolvers and exploit them later on as the query reaches
the authoritative NS where can be matched with the IP of the initial
target. 

And maybe one more interesting thing. Some CPEs have something
like "hidden openresolver". They will not answer you if you query them
on WAN nevertheless they send the query to the upstream resolver which
allow them to be exploited as well. 

With regards 

Ales 

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20160711/f25bf825/attachment.html>

More information about the dnsdist mailing list