Forgot your password?
typodupeerror
Security

Omnifarious's Journal: DNS cache poisoning on the rise?

Journal by Omnifarious

I run a public DNS server for my own domains and I've been getting a lot of outside attempts to run recursive queries through it. This is something I haven't seen before and I'm wondering if DNS cache poisoning is on the rise.

Here is a sample of the logs:

May 15 01:57:38 foo named[2310]: client 125.17.226.217#4921: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 02:40:15 foo named[2310]: client 208.72.168.114#54341: query (cache) 'aa36.com/ANY/IN' denied

May 15 03:41:06 foo named[2310]: client 192.172.226.155#56099: query (cache) 'c40431ec875aa6d0.a4a1b82e01a13ddb.test1.openresolvers.org/A/IN' denied

May 15 03:44:21 foo named[2310]: client 124.173.20.186#2898: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 05:09:01 foo named[2310]: client 88.228.100.29#1598: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 06:08:46 foo named[2310]: client 201.47.54.80#61320: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 19:33:27 foo named[2310]: client 221.208.250.186#12899: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 23:24:55 foo named[2310]: client 71.110.123.103#4547: query (cache) 'nirvana.admins.ws/A/IN' denied

One of these is a definite probe for poorly configured DNS servers in an attempt to be helpful. And that's the query for c40431ec875aa6d0.a4a1b82e01a13ddb.test1.openresolvers.org.

The others appear to be an attempt to query for the DNS records of a spam trap. This could be one of two things. It could be an attempt to get emails destined for the trap to go elsewhere. It could also be an attempt to get unwitting open DNS resolvers to be a part of a DDOS attack against the spam trap. I don't know which.

Does anybody reading this have any idea?

This discussion has been archived. No new comments can be posted.

DNS cache poisoning on the rise?

Comments Filter:

Facts are stubborn, but statistics are more pliable.

Working...