/A/IN, /TXT/IN server queries

[madmanu]

Hi guys,

For a few weeks now my server is notifying me with around a hundred per day denied queries of the form:

Code:

client 99.999.99.99 query (cache) 'www.someserver.com/A/IN' denied: 1 Time(s)

Originating IPs, here portrayed as 99.999.99.99, are always two - which makes me believe it is either a script kiddie or an owned machine.

On a given day, each query has a different www.someserver.com address, so there are around 100 different addresses each day. Some addresses are repeated in different days. It is never the address of my server - although if you can help me, you probably already knew this.

I do not know what are these queries for, what threat could they represent to me (if any), nor what countermeasures to take. I could block the originating IPs, but I do not want to do this until I know what to do afterwards - that is, until I understand what is going on.

My experience has always been in local networks, and I can't find anything good in Google. Can anyone give me clues, info, or point me in the right direction?

[ColForbin]

Don't know if this will help you out or not, but google:

Code:

client 99.999.99.99 query (cache) 'www.someserver.com/A/IN' denied: 1 Time(s)

Reading through some of the results will lead you here:

Code:

http :// www. dshield .org/diary.html?storyid=5713

You may be experiencing the same situation here. Reading through some of the other results, will show you how to edit your /etc/named.conf file, in order to circumvent this problem. From there, you could do some whois lookups on the offending IP addresses, in order to either alert their owners or submit abuse tickets to corresponding ISPs.

[compaq]

It could be a cache attack, if they can find out your default dns sever (gateway,isp,roots hints), then just guessing the port and transaction id they can update the cache, ie google.com = attacker

[madmanu]

Originating machines seem to be part of an uninteresting Italian official administration office, miles and borders away from where I live. I tested blocking the originating IPs, and so far so good (10 days).

It could very well be what ColForbin pointed out, though I have no interest in notifying that office they might have been under an attack - Italian government is behaving in a very similar way to mine, contrary to the people's general interest.

Compaq's suggestion could also be the point, as a different type of attack, from a different source (icpbounce.com), started two days ago. This attack is trying to use me as a spam server. A spam company targeting specifically my server seems unlikely.

Taking into account that I haven't had any problems during last months, what I believe to be most likely is that my server entered some spam / 'to be abused' list, and now is automatically probed. Feel free to deem my conclusions silly.

Thanks for your replies guys!