random dns queries with random sources

Joe Maimon jmaimon at ttec.com
Wed Feb 19 03:59:53 UTC 2014


Doug Barton wrote:
> On 02/18/2014 07:08 PM, Joe Maimon wrote:
>> Thousand of queries with thousands of source ip addresses.
>
> Pardon if I missed a memo, but how are your resolver systems receiving
> these thousands of very different source addresses?
>
> Doug
>
>

Thousands of queries _from_ thousands of source ip addresses

likely they are spoofed

this is an example of what I am seeing

root at nameserver3:~# baddnsqueries-srcs 9aq.com | wc -l
1337
root at nameserver3:~# grep 9aq.com /var/log/named/queries | wc -l
1415
root at nameserver3:~# baddnsqueries-srcs 9aq.com | sort -rn -k2 | head -n5
99.86.116.243 1
99.219.232.72 1
99.184.19.178 1
99.155.180.193 1
99.129.26.85 1
root at nameserver3:~# grep 9aq.com /var/log/named/queries | head -n5
18-Feb-2014 22:42:30.754 queries: info: client 93.209.49.151#59706: 
query: abpdefguvwxym.dlq1.9aq.com IN A + (66.199.132.5)
18-Feb-2014 22:42:30.787 queries: info: client 110.158.165.119#32438: 
query: ocpkxdfupiy.dlq1.9aq.com IN A + (66.199.132.7)
18-Feb-2014 22:42:31.382 queries: info: client 84.14.84.205#63722: 
query: abpqeftuiwklz.dlq1.9aq.com IN A + (66.199.132.7)
18-Feb-2014 22:42:31.649 queries: info: client 45.73.65.145#38948: 
query: pvtlirr.dlq1.9aq.com IN A + (66.199.132.7)
18-Feb-2014 22:42:32.679 queries: info: client 9.121.56.232#18395: 
query: amo.dlq1.9aq.com IN A + (66.199.132.5)



root at nameserver3:~# cat /usr/local/sbin/baddnsqueries-srcs
#!/bin/bash

if [[ "$1" == "" ]]; then exit 0; fi
grep -E "$1" /var/log/named/queries | cut -f6 -d' ' | cut -f1 -d# | sort 
| uniq |\
while read INPUT; do
         if [[ "$INPUT" == "" ]]; then
                 continue;
         fi
         echo $INPUT `grep $INPUT /var/log/named/queries | grep -c -E "$1"`;
done







More information about the NANOG mailing list