Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Security

Omnifarious's Journal: DNS cache poisoning on the rise?

Journal by Omnifarious

I run a public DNS server for my own domains and I've been getting a lot of outside attempts to run recursive queries through it. This is something I haven't seen before and I'm wondering if DNS cache poisoning is on the rise.

Here is a sample of the logs:

May 15 01:57:38 foo named[2310]: client 125.17.226.217#4921: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 02:40:15 foo named[2310]: client 208.72.168.114#54341: query (cache) 'aa36.com/ANY/IN' denied

May 15 03:41:06 foo named[2310]: client 192.172.226.155#56099: query (cache) 'c40431ec875aa6d0.a4a1b82e01a13ddb.test1.openresolvers.org/A/IN' denied

May 15 03:44:21 foo named[2310]: client 124.173.20.186#2898: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 05:09:01 foo named[2310]: client 88.228.100.29#1598: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 06:08:46 foo named[2310]: client 201.47.54.80#61320: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 19:33:27 foo named[2310]: client 221.208.250.186#12899: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 23:24:55 foo named[2310]: client 71.110.123.103#4547: query (cache) 'nirvana.admins.ws/A/IN' denied

One of these is a definite probe for poorly configured DNS servers in an attempt to be helpful. And that's the query for c40431ec875aa6d0.a4a1b82e01a13ddb.test1.openresolvers.org.

The others appear to be an attempt to query for the DNS records of a spam trap. This could be one of two things. It could be an attempt to get emails destined for the trap to go elsewhere. It could also be an attempt to get unwitting open DNS resolvers to be a part of a DDOS attack against the spam trap. I don't know which.

Does anybody reading this have any idea?

This discussion has been archived. No new comments can be posted.

DNS cache poisoning on the rise?

Comments Filter:

The number of UNIX installations has grown to 10, with more expected. -- The Unix Programmer's Manual, 2nd Edition, June 1972

Working...