Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DNS cache poisoning on the rise?

Omnifarious (11933) writes | more than 6 years ago

Security 0

I run a public DNS server for my own domains and I've been getting a lot of outside attempts to run recursive queries through it. This is something I haven't seen before and I'm wondering if DNS cache poisoning is on the rise.

Here is a sample of the logs:

May 15 01:57:38 foo named[2310]: client 125.17.226.217#4921: query (cache) 'nirvana.admins.ws/A/IN' denied

I run a public DNS server for my own domains and I've been getting a lot of outside attempts to run recursive queries through it. This is something I haven't seen before and I'm wondering if DNS cache poisoning is on the rise.

Here is a sample of the logs:

May 15 01:57:38 foo named[2310]: client 125.17.226.217#4921: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 02:40:15 foo named[2310]: client 208.72.168.114#54341: query (cache) 'aa36.com/ANY/IN' denied

May 15 03:41:06 foo named[2310]: client 192.172.226.155#56099: query (cache) 'c40431ec875aa6d0.a4a1b82e01a13ddb.test1.openresolvers.org/A/IN' denied

May 15 03:44:21 foo named[2310]: client 124.173.20.186#2898: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 05:09:01 foo named[2310]: client 88.228.100.29#1598: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 06:08:46 foo named[2310]: client 201.47.54.80#61320: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 19:33:27 foo named[2310]: client 221.208.250.186#12899: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 23:24:55 foo named[2310]: client 71.110.123.103#4547: query (cache) 'nirvana.admins.ws/A/IN' denied

One of these is a definite probe for poorly configured DNS servers in an attempt to be helpful. And that's the query for c40431ec875aa6d0.a4a1b82e01a13ddb.test1.openresolvers.org.

The others appear to be an attempt to query for the DNS records of a spam trap. This could be one of two things. It could be an attempt to get emails destined for the trap to go elsewhere. It could also be an attempt to get unwitting open DNS resolvers to be a part of a DDOS attack against the spam trap. I don't know which.

Does anybody reading this have any idea?

cancel ×

0 comments

Sorry! There are no comments related to the filter you selected.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>