DNS Activity - Strange or Not?

From: Morgan (morgan42@tcia.net)
Date: 03/14/02

• Next message: doglips: "Never"
• Previous message: donoli: "Re: SSL Examples"
• Reply: RainbowHat: "Re: DNS Activity - Strange or Not?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Morgan" <morgan42@tcia.net>
Date: Wed, 13 Mar 2002 21:42:59 -0500

a few days ago, my 512k connection went to pot & i've been keeping an
eye on things trying to figure out where all my bandwidth went. running
tcpdump on the external interface on my redhat 7 firewall, i'm seeing a
lot of the following:

22:26:40.884808 < g.gtld-servers.net.domain > mydomain.1099: 28086-
0/3/2 (129)
22:26:40.885299 > mydomain.1099 >
avro.gnat-aliases.packetworks.net.domain: 20949 A? ns.packetworks.net.
(36)
22:26:40.932307 < avro.gnat-aliases.packetworks.net.domain >
mydomain.1099: 20949* 2/2/1 CNAME packetworks.net., A
ns1.packetworks.net (121) (DF)
22:26:41.002053 > mydomain.1099 > 209.244.203.5.domain: 28500 PTR?
16.217.202.198.in-addr.arpa. (45)
22:26:41.028018 < gige7-0.hsipaccess1.Washington1.Level3.net > mydomain:
icmp: host 209.244.203.5 unreachable
22:26:41.029412 < outgoing3.securityfocus.com.34090 > mydomain.smtp: R
4081674031:4081674031(0) win 0 (DF)
22:26:41.032118 < phobia.xenitec.on.ca.domain > mydomain.1099: 30490*
0/1/0 (74) (DF)
22:26:41.033517 < outgoing3.securityfocus.com.34090 > mydomain.smtp: R
4081674032:4081674032(0) win 0 (DF)
22:26:41.034811 > mydomain.1099 > enigma.xenitec.on.ca.domain: 37159 A?
xenitec.on.ca. (31)
22:26:41.144461 < enigma.xenitec.on.ca.domain > mydomain.1099: 37159*
1/6/5 A xenitec.xenitec.on.ca (282) (DF)
22:26:41.147635 > mydomain.1099 > c7ns1.center7.com.domain: 11415 AAAA?
caldera.com. (29)
22:26:41.223018 < c7ns1.center7.com.domain > mydomain.1099: 11415* 0/1/0
(88) (DF)
22:26:41.224094 > mydomain.1099 > phoenix.ut.caldera.com.domain: 42865
A? caldera.com. (29)
22:26:43.002058 > mydomain.1099 > bengi-w.exodus.net.domain: 37475 PTR?
10.221.1.209.in-addr.arpa. (43)
22:26:43.201845 < bengi-w.exodus.net.domain > mydomain.1099: 37475*
1/3/3 PTR bengi-w.exodus.net. (191) (DF)
22:26:43.205994 > mydomain.1099 > d3.NSTLD.COM.domain: 64893 PTR?
50.7.79.206.in-addr.arpa. (42)
22:26:43.231584 < d3.NSTLD.COM.domain > mydomain.1099: 64893- 0/4/0
(132)
22:26:43.232158 > mydomain.1099 > 209.1.222.246.domain: 62604 PTR?
50.7.79.206.in-addr.arpa. (42)
22:26:43.365143 < 209.1.222.246.domain > mydomain.1099: 62604*- 1/4/4
PTR ns.nj.exodus.net. (216) (DF)
22:26:43.366969 > mydomain.1099 > d3.NSTLD.COM.domain: 22823 PTR?
70.108.33.216.in-addr.arpa. (44)
22:26:43.393067 < d3.NSTLD.COM.domain > mydomain.1099: 22823- 0/4/0
(134)
22:26:43.393617 > mydomain.1099 > 209.1.222.246.domain: 26606 PTR?
70.108.33.216.in-addr.arpa. (44)
22:26:44.002075 > mydomain.1099 > ns.europe.yahoo.com.domain: 42581 PTR?
104.4.12.217.in-addr.arpa. (43)
22:26:44.115041 < ns.europe.yahoo.com.domain > mydomain.1099: 42581*-
1/5/5 PTR ns3.yahoo.com. (236)
22:26:45.002059 > mydomain.1099 > 216.250.130.5.domain: 42865 A?
caldera.com. (29)
22:26:45.002135 > mydomain.1099 > 198.202.217.16.domain: 50451 PTR?
5.112.138.206.in-addr.arpa. (44)
22:26:46.226505 > mydomain.62304 > ns1.naxs.com.domain: 43327+ A?
caldera.com. (29) (DF)
22:26:46.242477 < ns1.naxs.com.domain > mydomain.62304: 43327 1/3/3 A
c7pub-216-250-140-125.center7.com (171) (DF)
22:26:47.002067 > mydomain.1099 > 209.1.222.244.domain: 26606 PTR?
70.108.33.216.in-addr.arpa. (44)
22:26:47.156040 < 209.1.222.244.domain > mydomain.1099: 26606*- 1/4/4
PTR bengi-e.exodus.net. (220) (DF)
22:26:47.163844 > mydomain.1099 > ns2.nsiregistry.net.domain: 4436 PTR?
4.0.41.198.in-addr.arpa. (41)
22:26:47.190190 < ns2.nsiregistry.net.domain > mydomain.1099: 4436*-
1/4/4 PTR a.root-servers.net. (241)
22:26:47.196860 > mydomain.1099 > d3.NSTLD.COM.domain: 19472 PTR?
5.130.250.216.in-addr.arpa. (44)
22:26:47.222233 < d3.NSTLD.COM.domain > mydomain.1099: 19472- 0/4/0
(140)
22:26:47.222928 > mydomain.1099 > g.gtld-servers.net.domain: 26589 A?
NS1.CANOPY.COM. (32)
22:26:47.223041 > mydomain.1099 > c7ns2.center7.com.domain: 18676 PTR?
5.130.250.216.in-addr.arpa. (44)
22:26:47.323890 < g.gtld-servers.net.domain > mydomain.1099: 26589-
1/2/2 A ns1.Canopy.Com (133)
22:26:48.002058 > mydomain.1099 > 206.138.112.5.domain: 1001 PTR?
20.112.138.206.in-addr.arpa. (45)
22:26:49.002053 > mydomain.1099 > c7ns1.center7.com.domain: 42865 A?
caldera.com. (29)

and when i say a lot, i do mean a >lot< (as in scrolling down the
terminal nearly as fast as it can go in spurts). i do run a dns server
on that box, it's bind version 8.3.1. i'm the only one on my lan, so i
alone don't generate a lot of traffic (and i shouldn't generate a lot of
dns lookups either). hardly any of the domains i see listed in the
tcpdump output from my box are domains that i have any traffic going
to - another scary thing is that a lot of them seem to be .mil & .gov
tld's.

does anyone have any idea what may be the problem? i was afraid that i
may have been rooted, but i run a tight firewall - snort runs all the
time & has never picked up anything. chkrootkit shows no problems. i
thought someone might be trying to relay mail through my mail server,
but since you can't relay through my server that's not it (besides,
there mailq stays empty except when i send mail). is this a denial of
service attack of some sort? i'm really not versed on what sort of dns
traffic i should be seeing - i realize it's normal to see things like
lame servers from time to time, but i think what i'm seeing here is out
of the ordinary (seeing as i don't think i'm generating any of the
traffic). i've also checked the other boxes on my lan for rootkits /
virii and have found nothing yet.

my 512k connection has gone down to averaging less than 1k/sec
throughput to give you some idea of how this is affecting me. when i
shut down named on that box, speed seems to go back to normal... any
ideas if this is a problem on my end or am i simply being paranoid?

thanks.

---

• Next message: doglips: "Never"
• Previous message: donoli: "Re: SSL Examples"
• Reply: RainbowHat: "Re: DNS Activity - Strange or Not?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: CEICW & software updates... ... SBS/Windows Server 2003, etc is just not quite UPNP aware the way it ... MVPs do not work for Microsoft ... I'm not getting prompted for an internet connection type. ... DNS server is installed and not disabled Call to Changing ... (microsoft.public.windows.server.sbs) Re: Urgent! New router and big disaster ... Server Local Area Connection: ... Connection-specific DNS Suffix: ... dish that I have currently plugged into the router. ... (microsoft.public.windows.server.sbs) Re: Urgent! New router and big disaster ... Server Local Area Connection: ... Connection-specific DNS Suffix: ... dish that I have currently plugged into the router. ... (microsoft.public.windows.server.sbs) Re: Urgent! New router and big disaster ... Server Local Area Connection: ... Connection-specific DNS Suffix: ... dish that I have currently plugged into the router. ... (microsoft.public.windows.server.sbs) Re: Urgent! New router and big disaster ... Server Local Area Connection: ... Connection-specific DNS Suffix: ... dish that I have currently plugged into the router. ... (microsoft.public.windows.server.sbs)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2002-03