[Snort-users] DNS server keeps communicating with Darkprofits.net and darkprofits.com

Ben Nelson venom at ...10344...
Tue Feb 3 07:56:04 EST 2004


Marlon.Richards at ...11130... wrote:
> 
> Hi guys. I know this is the SNORT mailing list but i am just wondering
> if i could get some help here. 
You're right, you'd be better off asking this on a security mailing 
list, or better yet...on the BIND mailing list.

> I found that my DNS server is being asked to
> make numerous resolutions of darkprofits.com and darkrpofits.net. None of
> my internal clients are making these requests. My Sniffer shows me that the
> requests are being made from outside my network and that my DNS server is
> making a request for this domain to external hosts. Does anyone know where
> this may be coming from and how to stop it?
> 
You probably shouldn't be allowing recursive DNS queries from hosts that 
you don't control.....just good security best practice.  Allow your 
internal clients the ability to do recursive queries and keep external 
hosts' queries limited to domains that you are authoritative for.  You 
can do this in BIND with the 'allow-recursion' option.  Example:

If your network is 192.168.123.0/24

In your named.conf file, put something like:
acl recursive-clients{ 192.168.123.0/24; };
options {
     allow-recursion{ recursive-clients; };
};

That oughta' keep external folks from abusing your nameserver.

--Ben




More information about the Snort-users mailing list