Results 1 to 4 of 4

Thread: /A/IN, /TXT/IN server queries

  1. #1
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    5

    Question /A/IN, /TXT/IN server queries

    Hi guys,

    For a few weeks now my server is notifying me with around a hundred per day denied queries of the form:

    Code:
    client 99.999.99.99 query (cache) 'www.someserver.com/A/IN' denied: 1 Time(s)
    Originating IPs, here portrayed as 99.999.99.99, are always two - which makes me believe it is either a script kiddie or an owned machine.

    On a given day, each query has a different www.someserver.com address, so there are around 100 different addresses each day. Some addresses are repeated in different days. It is never the address of my server - although if you can help me, you probably already knew this.

    I do not know what are these queries for, what threat could they represent to me (if any), nor what countermeasures to take. I could block the originating IPs, but I do not want to do this until I know what to do afterwards - that is, until I understand what is going on.

    My experience has always been in local networks, and I can't find anything good in Google. Can anyone give me clues, info, or point me in the right direction?

  2. #2
    Member ColForbin's Avatar
    Join Date
    Jan 2010
    Posts
    93

    Default Re: /A/IN, /TXT/IN server queries

    Don't know if this will help you out or not, but google:
    Code:
    client 99.999.99.99 query (cache) 'www.someserver.com/A/IN' denied: 1 Time(s)
    Reading through some of the results will lead you here:
    Code:
    http :// www. dshield .org/diary.html?storyid=5713
    You may be experiencing the same situation here. Reading through some of the other results, will show you how to edit your /etc/named.conf file, in order to circumvent this problem. From there, you could do some whois lookups on the offending IP addresses, in order to either alert their owners or submit abuse tickets to corresponding ISPs.
    "Whatever happened to playing a hunch, Scully? The element of surprise, random acts of unpredictability? If we fail to anticipate the unforeseen or expect the unexpected in a universe of infinite possibilities, we may find ourselves at the mercy of anyone or anything that cannot be programmed, categorized or easily referenced."

  3. #3
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: /A/IN, /TXT/IN server queries

    It could be a cache attack, if they can find out your default dns sever (gateway,isp,roots hints), then just guessing the port and transaction id they can update the cache, ie google.com = attacker

  4. #4
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    5

    Default Re: /A/IN, /TXT/IN server queries

    Originating machines seem to be part of an uninteresting Italian official administration office, miles and borders away from where I live. I tested blocking the originating IPs, and so far so good (10 days).

    It could very well be what ColForbin pointed out, though I have no interest in notifying that office they might have been under an attack - Italian government is behaving in a very similar way to mine, contrary to the people's general interest.

    Compaq's suggestion could also be the point, as a different type of attack, from a different source (icpbounce.com), started two days ago. This attack is trying to use me as a spam server. A spam company targeting specifically my server seems unlikely.

    Taking into account that I haven't had any problems during last months, what I believe to be most likely is that my server entered some spam / 'to be abused' list, and now is automatically probed. Feel free to deem my conclusions silly.

    Thanks for your replies guys!

Similar Threads

  1. Several Backtrack Related Queries
    By hitmen in forum Beginners Forum
    Replies: 0
    Last Post: 08-02-2010, 01:17 AM
  2. Redirect all DNS queries to IP
    By turko123 in forum OLD Newbie Area
    Replies: 6
    Last Post: 12-13-2009, 11:25 AM
  3. Some Small Queries
    By ibrahim52 in forum OLD Newbie Area
    Replies: 3
    Last Post: 03-17-2008, 12:20 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •