Journal Omnifarious's Journal: DNS cache poisoning on the rise?
I run a public DNS server for my own domains and I've been getting a lot of outside attempts to run recursive queries through it. This is something I haven't seen before and I'm wondering if DNS cache poisoning is on the rise.
Here is a sample of the logs:
May 15 01:57:38 foo named[2310]: client 125.17.226.217#4921: query (cache) 'nirvana.admins.ws/A/IN' denied
May 15 02:40:15 foo named[2310]: client 208.72.168.114#54341: query (cache) 'aa36.com/ANY/IN' denied
May 15 03:41:06 foo named[2310]: client 192.172.226.155#56099: query (cache) 'c40431ec875aa6d0.a4a1b82e01a13ddb.test1.openresolvers.org/A/IN' denied
May 15 03:44:21 foo named[2310]: client 124.173.20.186#2898: query (cache) 'nirvana.admins.ws/A/IN' denied
May 15 05:09:01 foo named[2310]: client 88.228.100.29#1598: query (cache) 'nirvana.admins.ws/A/IN' denied
May 15 06:08:46 foo named[2310]: client 201.47.54.80#61320: query (cache) 'nirvana.admins.ws/A/IN' denied
May 15 19:33:27 foo named[2310]: client 221.208.250.186#12899: query (cache) 'nirvana.admins.ws/A/IN' denied
May 15 23:24:55 foo named[2310]: client 71.110.123.103#4547: query (cache) 'nirvana.admins.ws/A/IN' denied
One of these is a definite probe for poorly configured DNS servers in an attempt to be helpful. And that's the query for c40431ec875aa6d0.a4a1b82e01a13ddb.test1.openresolvers.org.
The others appear to be an attempt to query for the DNS records of a spam trap. This could be one of two things. It could be an attempt to get emails destined for the trap to go elsewhere. It could also be an attempt to get unwitting open DNS resolvers to be a part of a DDOS attack against the spam trap. I don't know which.
Does anybody reading this have any idea?
DNS cache poisoning on the rise? More Login
DNS cache poisoning on the rise?
Slashdot Top Deals