2

My DNS server running RHEL 6.6 is actively sending unsolicited DNS responses to a couple of IP's. By unsolicited I mean that there is no incoming request from the external IP, the DNS server seems to want to talk to this external host for some reason on its own and I cant figure out why. Netstat shows the outbound connections tied to the named process. tcpdump confirms these are mostly outbound. They look like this: (the hostnames at the end are whats in the actual tcpdump)

104115 5.888666   <DNS server source IP> <dest IP>   DNS 80 Standard query 0xfc38 A chhveu.x99moyu.net

There are tons of these: Here is another example:

104012 5.8884459  <DNS server source IP> <dest IP>  DNS 106 Standard query 0x688b MX 3636.3335.3338.3737.80h423333324d.host.com

Again, tons of these.

I have been able to get this under control by using iptables. However the packet counters are increasing at a rapid pace so I know the named service is still wanting to talk to this IP. Another strange thing I noticed is after putting the iptables rule in place. I blocked the IP using the INPUT chain first, and continued to see traffic. Then I added the IP to the OUTPUT chain, and the incoming request seemed to immediately dry up, while the outbound request keep adding up. So I fear the incoming request were actually being produced by the outgoing request. Here is what packet counters look like in iptables:

Input Chain:

4   292 DROP       all  --  any    any     X.X.X.X/24     anywhere

Output chain:

41174 4514K DROP       all  --  any    any     anywhere   x.x.x.x/24

Could this systeme be compromised and if so, is there anything I can do to remediate it?

user53029
  • 619
  • 2
  • 14
  • 34
  • A query for an MX record is usually linked to mail handling. Do your server have an open relay? How are the email log files? – ThoriumBR Dec 14 '15 at 20:57
  • I will have to check. It should not be open. I still do not see how that would cause these requests to originate from the DNS server without an initial query incoming. My first example was also an A record response. – user53029 Dec 14 '15 at 21:07
  • If there's lots of mail messages waiting on queue, your mail server may be trying reverse lookups, and asking named about the IP addresses. It would explain a lot of DNS requests made by named. – ThoriumBR Dec 15 '15 at 00:07
  • I can see that. However I would expect to see queries for valid hostnames, not that gibberish I am seeing. A query for this - 3636.3335.3338.3737.80h423333324d.host.com does not look normal. Would you agree? – user53029 Dec 15 '15 at 15:21
  • It's pretty normal, actually. A `EHLO 3636.3335.3338.3737.80h423333324d.host.com` is a perfect normal SMTP command... – ThoriumBR Dec 15 '15 at 21:21
  • These are DNS queries, not responses. Unless you're running a caching server, queries would not be sent as a result of receiving other queries, they're sent as a result of applications on the machine looking up names. – Barmar Dec 16 '15 at 07:08

0 Answers0