[Pdns-users] Queries .domain. Attack to root server?
Federico Olivieri
lvrfrc87 at gmail.com
Sun Dec 13 15:17:04 UTC 2015
Hi everybody,
I know that this question is not really related to powerDNS but more to DNS
in general but maybe someone of you can help me with this problem.
Since last week I can see some peaks of queries on my 2 DNS servers. (you
can see them on metronome with T1000 and 836.recursor names) From my graphs
I saw that these queries are directly against root server a
I did sniff traffic and I saw some strange queries with .domain at the end
of the name
[...]
14:56:13.152408 IP dns.seeweb.it.domain > banana_eth0.11659: 23888*- 1/2/0
CNAME 162.160-27.194.94.85.in-addr.arpa. (119)
14:56:13.153043 IP banana_eth0.50298 > i.gtld-servers.net.domain: 53582 A?
ns1.cianciolab.com. (36)
14:56:13.157826 IP tinnie.arin.net.domain > banana_eth0.40085: 46248- 0/2/0
(88)
14:56:13.158218 IP banana_eth0.44415 > ns.elion.ee.domain: 25287 PTR?
242.225.191.90.in-addr.arpa. (45)
14:56:13.177148 IP i.gtld-servers.net.domain > banana_eth0.50298: 53582-
0/2/2 (100)
14:56:13.177571 IP banana_eth0.55401 > naimi.housing-server.biz.domain:
17309 A? ns1.cianciolab.com. (36)
14:56:13.223558 IP ns.elion.ee.domain > banana_eth0.44415: 25287*- 1/0/0
PTR ns3.zonedata.net. (75)
14:56:13.224978 IP banana_eth0.62199 > puck.nether.net.domain: 31838 PTR?
36.216.61.204.in-addr.arpa. (44)
14:56:13.233555 IP naimi.housing-server.biz.domain > banana_eth0.55401:
17309*- 1/2/1 A 85.94.194.162 (100
[...]
If I do dig for one of those domains I can see that the query goes directly
to root server.
root at banana:~# dig dns.seeweb.it.domain
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> dns.seeweb.it.domain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49088
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;dns.seeweb.it.domain. IN A
;; AUTHORITY SECTION:
. 3600 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2015121300 1800 900 604800 86400
;; Query time: 28 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 13 15:09:19 2015
;; MSG SIZE rcvd: 113
It seems quite odd to me but not sure if is a kind of attack to root
server. Anyone has any idea/suggestion? In case, how can I block it (was
thinking about and iptables filter for .domain queries)
Thanks
Federico
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20151213/dde58a14/attachment.html>
More information about the Pdns-users
mailing list