[Pdns-users] iprange is hitting my dns servers

Frank Louwers frank+pdns at tembo.be
Wed Jun 10 07:40:53 UTC 2020 

Hi Steffan,

It smells like a bunch of Windows clients that all want to lookup a DomainController... (all capitals, DC, ... typical MS naming conventions)

Are the 195.121.82.103-195.121.82.139 ips under your control?

Best of luck hunting :)

Frank

> On 10 Jun 2020, at 08:32, Steffan via Pdns-users <pdns-users at mailman.powerdns.com> wrote:
> 
>  
>> On 06/08/2020 8:12 PM Steffan via Pdns-users <pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>> wrote: 
>>  
>>  
>> Hello,
>>  
>> Im rusiing 4.1.13-1pdns.el7
>> I just noticed a lot of these lines
>> Jun  8 19:55:08 ns2 pdns_server: Exception building answer packet for KS-DC-01.ksprofiel.nl/DS <http://ks-dc-01.ksprofiel.nl/DS> (All data was not consumed) sending out servfail
>> Jun  8 19:55:08 ns2 pdns_server: Exception building answer packet for KS-DC-01.ksprofiel.nl/AAAA <http://ks-dc-01.ksprofiel.nl/AAAA> (All data was not consumed) sending out servfail
>> Jun  8 19:55:08 ns2 pdns_server: Exception building answer packet for KS-DC-01.ksprofiel.nl/A <http://ks-dc-01.ksprofiel.nl/A> (All data was not consumed) sending out servfail
>> Jun  8 19:55:10 ns2 pdns_server: Exception building answer packet for KS-DC-01.ksprofiel.nl/A <http://ks-dc-01.ksprofiel.nl/A> (All data was not consumed) sending out servfail
>> Jun  8 19:55:10 ns2 pdns_server: Exception building answer packet for KS-DC-01.ksprofiel.nl/DS <http://ks-dc-01.ksprofiel.nl/DS> (All data was not consumed) sending out servfail
>> Jun  8 19:55:10 ns2 pdns_server: Exception building answer packet for KS-DC-01.ksprofiel.nl/DS <http://ks-dc-01.ksprofiel.nl/DS> (All data was not consumed) sending out servfail
>> Jun  8 19:55:10 ns2 pdns_server: Exception building answer packet for KS-DC-01.ksprofiel.nl/AAAA <http://ks-dc-01.ksprofiel.nl/AAAA> (All data was not consumed) sending out servfail
>> Jun  8 19:55:10 ns2 pdns_server: Exception building answer packet for KS-DC-01.ksprofiel.nl/A <http://ks-dc-01.ksprofiel.nl/A> (All data was not consumed) sending out servfail
>> Jun  8 19:55:10 ns2 pdns_server: Exception building answer packet for KS-DC-01.ksprofiel.nl/DS <http://ks-dc-01.ksprofiel.nl/DS> (All data was not consumed) sending out servfail
>> Jun  8 19:55:10 ns2 pdns_server: Exception building answer packet for KS-DC-01.ksprofiel.nl/AAAA <http://ks-dc-01.ksprofiel.nl/AAAA> (All data was not consumed) sending out servfail
>>  
>> When debugging i see one iprange over and over and over again.
>>  
>>  
>> Jun  8 20:10:24 ns3 pdns_server: Remote 195.121.82.135 wants 'KS-DC-01.ksprofiel.nl <http://ks-dc-01.ksprofiel.nl/>|A', do = 1, bufsize = 1232: packetcache MISS
>> Jun  8 20:10:24 ns3 pdns_server: Remote 195.121.82.139 wants 'KS-DC-01.ksprofiel.nl <http://ks-dc-01.ksprofiel.nl/>|AAAA', do = 1, bufsize = 1232: packetcache MISS
>> Jun  8 20:10:24 ns3 pdns_server: Remote 195.121.82.111 wants 'KS-DC-01.ksprofiel.nl <http://ks-dc-01.ksprofiel.nl/>|AAAA', do = 1, bufsize = 1232: packetcache MISS
>> Jun  8 20:10:24 ns3 pdns_server: Remote 195.121.82.103 wants 'KS-DC-01.ksprofiel.nl <http://ks-dc-01.ksprofiel.nl/>|A', do = 1, bufsize = 1232: packetcache MISS
>> Jun  8 20:10:27 ns3 pdns_server: Remote 195.121.82.111 wants 'KS-DC-01.ksprofiel.nl <http://ks-dc-01.ksprofiel.nl/>|DS', do = 1, bufsize = 1232: packetcache MISS
>> Jun  8 20:10:27 ns3 pdns_server: Remote 195.121.82.111 wants 'KS-DC-01.ksprofiel.nl <http://ks-dc-01.ksprofiel.nl/>|A', do = 1, bufsize = 1232: packetcache MISS
>>  
>> Soemthimes it is a packetcache HIT (another domain)
>>  
>> Is this some kind of hakking attempt or normal ?
>>  
>>  
>> Met vriendelijke groet,
>> Steffan Noord 
>> _______________________________________________ 
>> Pdns-users mailing list 
>> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com> 
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users> 
> >Seems like you have something wrong with those records. All data was not consumed happens when there is something left after parsing the record data. 
> >Try pdnssec/pdnsutil check-zone and if you cant figure it out post unredacted problem records. 
> > 
> >Aki 
>  
>  
> Hello Aki,
> 'KS-DC-01.ksprofiel.nl <http://ks-dc-01.ksprofiel.nl/> does not exsist in the dns so that is correct
> Ksprofiel.nl <http://ksprofiel.nl/> is.
>  
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200610/0f13d6bf/attachment-0001.htm>

More information about the Pdns-users mailing list