5

I've used BIND for about ten years but am by no means an expert, at all. Having said that, I just wiped my VPS due to a crytomining malware infection.

While I was getting BIND set back up I noticed that a domain (TLD) I do not own was coming up as being hosted by my IP address. Further inspection shows the A record for this domain points to my IP.

I can understand there would be nothing to prevent someone from setting an A record to point wherever. But is there nothing I can do to block this? It seems like this is probably something very basic that I'm just missing, but am having trouble in troubleshooting it. Most of my searches have been fruitless.

Recursion is off.

Here's the options from named.conf

options {
    listen-on port 53       { any; };
    listen-on-v6 port 53    { any; };
    directory               "/var/named";
    dump-file               "/var/named/data/cache_dump.db";
    statistics-file         "/var/named/data/named_stats.txt";
    memstatistics-file      "/var/named/data/named_mem_stats.txt";
    allow-query             { any; };
    allow-transfer          { none; };
    recursion               no;
    dnssec-enable           yes;
    dnssec-validation       yes;
    bindkeys-file           "/etc/named.iscdlv.key";
    managed-keys-directory  "/var/named/dynamic";
    pid-file                "/run/named/named.pid";
    session-keyfile         "/run/named/session.key";
};
matzhu
  • 51
  • 2
  • Are you saying there is a TLD pointing directly to your IP address? And what does that have to do with you running BIND? – kasperd Oct 23 '18 at 12:39
  • Would be curious as to why malware would point to your IP. Usually they only do that if they have some sort of Command and Control server setup from that IP (otherwise what's the point?). Might be something to look into... – Nixphoe Oct 23 '18 at 13:11
  • @kasperd I worded that wrong. There is a domain name (i.e. bad-domain.co) whose nameserver has an A record which points to my server IP. My hope was that there was a way BIND could handle this such as with something like an inverted zone file which would serve as a blacklisted domain. – matzhu Oct 23 '18 at 19:37
  • @matzhu Just pointing an A record for the domain to your IP doesn't cause any DNS lookups to be sent to you. – kasperd Oct 23 '18 at 20:05
  • 1
    @nixphoe A very salient point about the C&C server. I did find that it first appeared seven months ago. Maybe a C&C was the original purpose and they only recently switched to cryptomining. I noticed it when doing maintenance which was running slow, so I looked at 'uptime' which was a 6.x, I then opened 'top' and saw a php process hovering around 600%, which according to performance logs was only going on for a few days. I'm guessing it found its way in through a WordPress site but I only had so much time to investigate before wiping. – matzhu Oct 23 '18 at 20:09
  • @matzhu Wordpress is always getting hacked, dang add ons is the low hanging fruit. I'd definitely make sure all of them are getting updated (or checked for updates) weekly. Perhaps checking the same process to make sure it hasn't reoccured. Great work finding it the first time! – Nixphoe Oct 23 '18 at 20:39

2 Answers2

6

You can't change someone else's domain records.

However...

If the other domain is actually the domain responsible for serving malware, you can contact the abuse contact at their DNS provider and their domain registrar, if different, to report the domain as a malware source (and include evidence thereof). These providers may then be able to do something, such as temporarily or permanently suspending the domain.

You can also attempt to get a new IP address from your own service provider.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • I had considered that, but due to already having been targeted it would be hard to be anonymous even if the submission were anonymous. That is to say I don't want to draw any attention from this creep.Thanks for the quick answer. And changing the IP is also good advice I'll resort to if nothing else. – matzhu Oct 23 '18 at 19:21
  • 1
    There's no way they would reasonably know or even suspect that you reported them, or that anyone did. – Michael Hampton Oct 23 '18 at 19:33
  • I have to respectfully disagree. It's already a 1-to-1 relationship with their domain and my IP. If their malware suddenly stops working and then a few days later the affected domain is suspended, I don't think it's much of a leap in discovery. I removed a WordPress site and another with open source code, but if they found their way in another way I'd rather not have my domains retargeted. I'm not as concerned with my personal identity if that's what you meant, but even that is a concern as my domains have not always had private listings and DNS history reports are available for purchase. – matzhu Oct 23 '18 at 20:36
3

There are two things to consider:

  1. Someone has an A record pointing to your IP address — there is nothing you can do about that.
  2. This A record in itself is not a problem. Problems (might) begin when this A record is used to send traffic towards your host — do you have an idea what kind of traffic it is? For example, if it's mostly HTTP(S) traffic you could modify your default website to provide an explanation of the incorrect DNS record to end users that might end up on your website due to the incorrect A record.

You can also analyze the source IP addresses and block them if they come from a country you do not do business with. But I'm never a fan of blocking IP addresses or address ranges.

Tommiie
  • 5,547
  • 2
  • 11
  • 45