[Dshield] DNS DOS and Bind

josh@theoubliette.net josh at theoubliette.net
Thu Mar 2 23:43:30 GMT 2006


Greetings -

I began noticing some odd dns queries in my logs a few weeks ago.

**begin paste**
Mar  2 07:38:19 myhost named[22178]: client 216.98.159.202#32804: query:
i205249.upc-i.chello.nl.mydomain.net IN AAAA
Mar  2 07:40:31 myhost named[22178]: client 216.98.159.202#32804: query:
zg06-071.dialin.iskon.hr.mydomain.net IN AAAA
Mar  2 07:43:48 myhost named[22178]: client 216.98.159.202#32804: query:
ACCC7FD0.ipt.aol.com.mydomain.net IN AAAA
**end paste**

myhost and mydomain have replaced my hosts true info, but that is
essentially the format of these queries.  When I dig the host with
mydomain.net omitted, it typically resolves to some real host on the
internet, but the same query dig'd against my server comes back empty as
expected.

These queries come a few at a time over a few minutes, as if someone is
testing their settings, and then after a short period of time they begin
to come in large quantities virtually non-stop for anywhere from several
hours to several days.  Due to some troubleshooting I had turned on DNS
logging some time ago and due to the low load on my server didn't realize
I had forgot to turn it off.

Initially I was blacklisting the few offending hosts, as they only seemed
to gang up on me one or two at a time, and it seemed an otherwise easy
thing to do for some possibly virus-infected mass mailer system with a bad
dns lookup routine.  Unfortunately, the offender seems to continue to come
back every few days or so from a different source host, so clearly, I'm
dealing with someone who is being a dedicated pain in the backside and has
some axe to grind with me.  My initial thoughts were that someone was
spamming and attempting to possibly use an DNS proxy lookup exploit or
something of that nature, but the negative results confused me.  Somewhere
along the line my system became lame for it's own domain too, which
confused me as to how it happened, but it might have been an RPM update
via yum that caused the conf to be saved out to .conf.rpmsave rather than
something malicious.  Just thought I would throw that in, just in case it
is important.

It took me a while to fingure out what to query google for, since each DNS
query was different and the suffix was always my domain.  I finally found
a few search phrases that yielded positive results.

I found this:
http://www.ietf.org/rfc/rfc4074.txt

which referenced this:
http://www.kb.cert.org/vuls/id/714121

>From these it seems there is a problem in bind and it is illustrated by a
AAAA query returning NXDOMAIN instead of NOERROR and an empty return
record.  The problem is that I'm seeing NXDOMAIN with an empty return
record, so I'm not entirely sure what to expect.  Also from these two
articles, I'm guessing that a failed AAAA query should cause the
requesting client to fire back an A query or fatally die if the client
doesn't handle this condition properly.  It seems that this isn't
something like a web browser that one would normally expect for a client,
and likely something custom due to the volume, so expecting it to die due
to these failed queries is pointless.

Is this some sort of exploit or known virus infected host(s)?  Is this
something old or new?  Is it likely a simple DOS?  Anyone else seen this
sort of thing before?

Anyone know if I can configure Bind to ignore or drop AAAA queries since
I'm not running IPv6? (not terribly appropriate for this list, but it does
seem to be a DNS security related question...so maybe it's important to
ask.  Yeah, I'm sure there's a more appropriate bind discussion list to
ask this of, but here it is...)

Is there another recommended defense?

TIA,
josh


More information about the list mailing list