]>
These hosts attempt to query unauthorized DNS zones on your DNS servers. Such activity has no legit usage, and is usually for probing vulnerable DNS servers to use for DNS Relay DDoS attacks. They could trigger various IDS warnings which will annoy you.
Out-of-box named(8) does not log these queries.
By setting /etc/named.conf
to be
logging { category "queries" { "default_syslog"; "default_debug"; }; } |
Apr 11 18:55:39 sha named[22774]: client 63.245.209.126#31682: query: . IN A Apr 11 18:55:39 sha named[22774]: client 63.245.209.126#31682: query (cache) denied |
If your server does not deny these, Reconfigure Now! DNS Relay DDoS attacks will be launched from your server.
Following list is an excerpt of Linux iptables(8) setup script; converting to other firewall rules should be cheesy.
# Foreign DNS probes ## "Research activity" # recursion-test.cymru.com iptables -A INPUT -p udp -i eth0 -s 38.229.0.10 --dport 53 -j DROP # Probe once a year in seek of open resolver # aAAAAAAAAApPPPPPiIIIII.dYYYYmmddHHMMSSNNNNN.tNNNN.dnsresearch.cymru.com # AAAAAAAAA is the probed IP address in uint32 # YYYYmmdd in GMT+4 iptables -A INPUT -p udp -i eth0 -s 38.229.1.72/31 --dport 53 -j DROP # [192.172.226.155] dns-surveys-2.caida.org # probes <cookie>.<cookie>.test1.openresolvers.org every week iptables -A INPUT -p udp -i eth0 -s 192.172.226.155 --dport 53 -j DROP ## mass attack, of . query 2009-01-07- ## [63.251.28.10] NYCGSLB1.fwmrm.net ## [63.251.28.11] NYCns1-ext1.fwmrm.net ## [74.217.66.10] SVLGSLB1.fwmrm.net ## [74.217.66.11] SVLns1-ext1.fwmrm.net iptables -A INPUT -p udp -i eth0 -s 63.251.28.10 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 63.251.28.11 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 74.217.66.10 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 74.217.66.11 --dport 53 -j DROP ## 10min interval . probe 2010-06-08- ## [75.98.70.10] NJBGSLB1.fwmrm.net ## [75.98.70.11] NJBns1-ext1.fwmrm.net iptables -A INPUT -p udp -i eth0 -s 75.98.70.10/31 --dport 53 -j DROP # [209.200.168.66] for-scanning-research.info-please-browse-to.http.deluvian.doxpara.com # attempts zone transfer, not only query iptables -A INPUT -p udp -i eth0 -s 209.200.168.66 --dport 53 -j DROP # this.is.a.dns.study.gtisc.gatech.edu iptables -A INPUT -p udp -i eth0 -s 143.215.130.36 --dport 53 -j DROP # dnsstudy[123].cc.gt.atl.ga.us (continuous probe per 20 minutes) iptables -A INPUT -p udp -i eth0 -s 143.215.129.43 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 143.215.129.102 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 143.215.129.200 --dport 53 -j DROP # queries <cookie>.<cookie>.gtisc-dnsstudy.net once a day (wildcard *.gtisc-dnsstudy.net, gatech.edu) 2007/12/07- iptables -A INPUT -p udp -i eth0 -s 143.215.143.13 --dport 53 -j DROP # queries BASE64(<intsrc><ns><tgt><tstamp><cookie>/*32bytes*/).ports.dns-integrity-scan.com # every 4-6 HOURS ([143.215.129.25] drudgeon4.cc.gt.atl.ga.us = ns1.dns-integrity-scan.com) 2008/07/12- # Run by deluvian.doxpara.com # WARNING: querying something.dns-integrity-scan.com will always return CNAME including unique cookie to track you iptables -A INPUT -p udp -i eth0 -s 143.215.129.25 --dport 53 -j DROP # [143.215.143.11] no PTR *.gatech.edu 2008/07/21- # queries www.google.com, www.live.com, www.gmail.com, www.msn.com, com, net, yadda yadda several time AN HOUR iptables -A INPUT -p udp -i eth0 -s 143.215.143.9 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 143.215.143.11 --dport 53 -j DROP # [128.194.135.212] dns-crawler.irl.cs.tamu.edu et al probing www.google.com 2008/03- iptables -A INPUT -p udp -i eth0 -s 128.194.135.81 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 128.194.135.104 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 128.194.135.212 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 128.194.135.223 --dport 53 -j DROP # [149.20.52.*] network-scanner-*-for-more-info-see.public.dns-oarc.net (isc.org) # probes VERSION.BIND/CH every week iptables -A INPUT -p udp -i eth0 -s 149.20.52.128/25 --dport 53 -j DROP # [149.20.54.35] dns-surveyor.measurement-factory.com (isc.org) # probes "localhost." "a.root-servers.net" "www.google.com" every week iptables -A INPUT -p udp -i eth0 -s 149.20.54.35 --dport 53 -j DROP # another [149.20.58.131] dns-surveyor.measurement-factory.com (isc.org) 2008/10/10- iptables -A INPUT -p udp -i eth0 -s 149.20.58.131 --dport 53 -j DROP # whole [149.20.59.128]/25 seems to dedicated for scanning HOSTNAME.BIND, VERSION.BIND CH TXT every week # ex. [149.20.59.155] dns-surveyor-155.dns-oarc.net iptables -A INPUT -p udp -i eth0 -s 149.20.59.128/25 --dport 53 -j DROP # [149.20.56.10] dan-kaminsky.dns-security-scan.info-at-http.www.doxdns5.com 2008/07/30- # probes "not-an-attack.dan-kaminsky.browse-deluvian.doxpara.com" # and massive names likely cached EVERY 5 MINUTES # WARNING: querying www.doxdns5.com will return CNAME which tracks you! # Resolves to [149.20.56.5] iptables -A INPUT -p udp -i eth0 -s 149.20.56.10 --sport 10053 --dport 53 -j DROP # [208.77.188.120] itar.iana.org (recursive.iana.org) probes iana.org and porttest.dns-oarc.net every week (2008/08/18-) iptables -A INPUT -p udp -i eth0 -s 208.77.188.120 --dport 53 -j DROP # queries qqqnnnnnnnnnn.xxxxxxxxxxxxxxx.dnsscan.de (Warning: includes Referer tracker!) # [128.143.71.178] dnsns1.rst3n.de (dnsscan.de NS), dnsscan.cs.Virginia.EDU # [128.143.71.179] dnsns2.rst3n.de (dnsscan.de NS), dnsscan2.cs.Virginia.EDU iptables -A INPUT -p udp -i eth0 -s 128.143.71.178 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 128.143.71.179 --dport 53 -j DROP ## [149.20.54.35] dns-surveyor.measurement-factory.com ## probes for "<ns-node-name>.ns.<domain>" every 12 hours, ## probes "www.google.com" "localhost" "a.root-servers.net" every week iptables -A INPUT -p udp -i eth0 -s 149.20.54.35 --dport 53 -j DROP ## RIPE Zone transfer attemps every month from [193.0.0.63] iptables -A INPUT -p udp -i eth0 -s 193.0.0.0/22 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 193.0.0.0/22 --dport 53 -j DROP ## "Security check" for themselves only # infospace.com probe per 38 minutes # Big Fat LART on postmaster@infospace.com, abuse@internap.com, abuse@savvis.net # may work; YMMV iptables -A INPUT -p udp -i eth0 -s 66.150.2.10 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.150.2.11 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.150.2.14 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.150.2.15 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.150.2.51 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.150.2.52 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 72.53.193.5 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 72.53.193.6 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 204.9.88.9 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 204.9.88.10 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 204.9.88.13 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 204.9.88.14 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 204.9.88.51 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 204.9.88.52 --dport 53 -j DROP ## nintendo.com probes your server of your server PTR in 100 minutes interval ## after querying *.nintendo.com . ## "3DNS servers made by F5 Networks" improper configuration ## They don't follow subclassed PTR CNAME, which will in turn denied as usual. iptables -A INPUT -p udp -i eth0 -s 192.195.204.8 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 192.195.204.10 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 205.166.76.8 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 205.166.76.11 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 205.166.76.12 --dport 53 -j DROP ## nintendo.com 100min interval root probe after querying *.nintendo.com 2010-07-28- iptables -A INPUT -p udp -i eth0 -s 192.195.204.61 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 192.195.204.62 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 192.195.204.190 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 205.166.76.61 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 205.166.76.62 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 205.166.76.190 --dport 53 -j DROP ## attdns.com, backquerying bogus PTR of the NS ## likely another F5 3DNS iptables -A INPUT -p udp -i eth0 -s 144.160.112.12 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 144.160.128.139 --dport 53 -j DROP ## asus.com, asus.com.tw DNS server (dns3.asus.com) probe per 38 minutes ## asus.com, dns7.asus.com 213.61.92.192 h-213.61.92.192.host.de.colt.net probe per 38 minutes iptables -A INPUT -p udp -i eth0 -s 211.72.249.201 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 213.61.92.192 --dport 53 -j DROP ## adobe.com (peer1.net) root probe every 30secs 2010/1/6 18:56- iptables -A INPUT -p udp -i eth0 -s 76.74.145.249 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 76.74.145.249 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 76.74.145.250 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 76.74.145.250 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 76.74.145.254 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 76.74.145.254 --dport 53 -j DROP ## adobe.com (peer1.net) root probe every 30secs 2010/7/4 04:03- #iptables -A INPUT -p tcp -i eth0 -s 76.74.170.243/28 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 76.74.170.243 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 76.74.170.244 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 76.74.170.247 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 76.74.170.248 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 76.74.170.249 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 76.74.170.250 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 76.74.170.251 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 76.74.170.252 --dport 53 -j DROP ## global citrix.com mass root probes 2012/01/24- # [62.200.22.2] firewall.ctxuk.citrix.com (firewall-dmz1.ctxuk.citrix.com) # [63.110.51.11] (no PTR) # [66.165.176.60] host60.citrix.com # [203.166.19.130] firewall.citrix.com.au iptables -A INPUT -p udp -i eth0 -s 62.200.22.2 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 63.110.51.11 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.165.176.60 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 203.166.19.130 --dport 53 -j DROP ## usc.edu mass root probes 2012/01/25- # [128.125.253.76] mail-mip-gw.usc.edu # [208.99.184.201] (no PTR) (*.usc.edu) iptables -A INPUT -p udp -i eth0 -s 128.125.253.76 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 208.99.184.201 --dport 53 -j DROP ## "load balancer" (generally won't work, as client and PTR holder usually isn't nearby) # mirror-image.com iptables -A INPUT -p udp -i eth0 -s 65.216.72.15 --sport 55555 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 64.191.208.15 --sport 55555 --dport 53 -j DROP # ns1.instacontent.net iptables -A INPUT -p udp -i eth0 -s 204.0.99.15 --sport 55555 --dport 53 -j DROP # ns2.instacontent.net # (will query back your nameserver of the queried entry) iptables -A INPUT -p udp -i eth0 -s 209.107.94.15 --sport 55555 --dport 53 -j DROP # ns3.instacontent.net, no PTR # *.nl.mozilla.com. Probes by Citrix iptables -A INPUT -p udp -i eth0 -s 63.245.209.126 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 63.245.213.10 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 63.245.213.101 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 63.245.213.102 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 63.245.213.124 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 63.245.213.126 --dport 53 -j DROP # *.nl.mozilla.com. TCP scan on 53 iptables -A INPUT -p tcp -i eth0 -s 63.245.209.126 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 63.245.213.10 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 63.245.213.101 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 63.245.213.102 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 63.245.213.124 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 63.245.213.126 --dport 53 -j DROP # Continuous root probe after querying *.revsci.net, *.lb-revsci.net 2008/08/06- # [64.74.15.250] ns01.revsci.net (no PTR, NS of lb-revsci.net) # [168.75.65.198] ns02.revsci.net (no PTR, NS of lb-revsci.net) # [168.75.65.199] ns04.revsci.net (no PTR) root probe 2008/09/23- # [168.75.65.203] (unknown, cluster member?) # [168.75.65.204] (unknown, cluster member?) # [209.249.141.45] ns03.revsci.net (ns01.revsci.net A mismatch, NS of lb-revsci.net) # [209.249.141.181] (unknown, cluster member?) # [209.249.141.182] (unknown, cluster member?) # [38.96.134.230] ns04.revsci.net (no PTR, NS of lb-revsci.net) iptables -A INPUT -p udp -i eth0 -s 64.74.15.250 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 168.75.65.198 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 168.75.65.199 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 168.75.65.199 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 168.75.65.203 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 168.75.65.204 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 209.249.141.45 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 209.249.141.181 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 209.249.141.182 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 38.96.134.230 --dport 53 -j DROP # [80.67.64.10] fw01.cmbrmaks.akamai.com # probes "nytimes.com" "www.nytimes.com" "cnn.com" several times a day 2008/12/04- iptables -A INPUT -p udp -i eth0 -s 80.67.64.10 --dport 53 -j DROP # [72.246.193.103] a72-246-193-103.deploy.akamaitechnologies.com 2009/03/10- # [72.246.193.104] a72-246-193-104.deploy.akamaitechnologies.com 2009/03/07- # mass queries cnn.com, google.com et al, UDP only iptables -A INPUT -p udp -i eth0 -s 72.246.193.103 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 72.246.193.104 --dport 53 -j DROP # [91.220.84.234] *.ru probes "google.com" several times a day 2011/10/22~ iptables -A INPUT -p udp -i eth0 -s 91.220.84.234 --dport 53 -j DROP ## facebook.com unknown root probes 2009/04/13- ## they tend to juggle server address to evade filters # [69.63.176.100] lb07b.01.sf2p.tfbnw.net # [69.63.176.113] lb05a-v310.sf2p.tfbnw.net # [69.63.176.224] 1.1.lb05a.05.sf2p.tfbnw.net # [69.63.178.239] 1-1.lb03b.01.snc1.tfbnw.net # [69.63.184.91] # [69.63.184.124] 1-1.lb01a.ash1.tfbnw.net # 2009/06/22- # [69.63.176.81] securelb01a.sf2p.tfbnw.net # [69.63.176.82] securelb01b.sf2p.tfbnw.net # [69.63.176.99] lb07a.01.sf2p.tfbnw.net # [69.63.176.114] lb05b-v310.sf2p.tfbnw.net # [69.63.176.117] lb02b-v310.sf2p.tfbnw.net # [69.63.176.122] lb03a-v310.sf2p.tfbnw.net # [69.63.176.125] lb04a-v310.sf2p.tfbnw.net # [69.63.176.126] lb04b-v310.sf2p.tfbnw.net # [69.63.176.225] 1.1.lb05b.05.sf2p.tfbnw.net # [69.63.176.227] 1.1.lb04a.05.sf2p.facebook.com # [69.63.176.228] 1.1.lb04b.05.sf2p.facebook.com # [69.63.176.252] 1-1.lb01a.05.sf2p.facebook.com # [69.63.176.253] 1-1.lb01b.05.sf2p.facebook.com # [69.63.178.110] 1-1.lb03a.01.snc1.tfbnw.net # [69.63.178.111] 1-1.lb03b.01.snc1.tfbnw.net # [69.63.178.113] 1-1.lb05a.01.snc1.tfbnw.net # [69.63.178.114] 1-1.lb05b.01.snc1.tfbnw.net # [69.63.178.159] 1-1.lb10a.01.snc1.tfbnw.net # [69.63.178.213] 1-1.lb06a.01.snc1.tfbnw.net # [69.63.178.214] 1-1.lb06b.01.snc1.tfbnw.net # [69.63.178.224] 1-1.lb05a.01.snc1.tfbnw.net # [69.63.178.227] 1-1.lb04a.01.snc1.tfbnw.net # [69.63.178.228] 1-1.lb04b.01.snc1.tfbnw.net # [69.63.178.242] 1-1.lb02b.01.snc1.tfbnw.net # [69.63.178.253] 1-1.lb01b.01.snc1.tfbnw.net # [69.63.179.22] glb01.snc1.tfbnw.net # [69.63.179.29] intlb01a.snc1.tfbnw.net # [69.63.179.30] intlb01b.snc1.tfbnw.net # [69.63.179.124] securelb01a.08.snc1.tfbnw.net # [69.63.179.125] securelb01b.08.snc1.tfbnw.net # [69.63.180.203] lb11.07.snc1.tfbnw.net # [69.63.180.212] lb10.07.snc1.tfbnw.net # [69.63.180.227] 1-1.lb04a.07.snc1.tfbnw.net # [69.63.180.228] 1-1.lb04b.07.snc1.tfbnw.net # [69.63.180.238] 1-1.lb03a.07.snc1.tfbnw.net # [69.63.180.239] 1-1.lb03b.07.snc1.tfbnw.net # [69.63.180.241] 1-1.lb02a.07.snc1.tfbnw.net # [69.63.180.242] 1-1.lb02b.07.snc1.tfbnw.net # [69.63.181.203] lb11.01.snc2.tfbnw.net # [69.63.181.212] lb10.01.snc2.tfbnw.net # [69.63.181.215] lb12.01.snc2.tfbnw.net # [69.63.181.226] lb13.01.snc2.tfbnw.net # [69.63.181.252] lb01a.01.snc2.tfbnw.net # [69.63.181.253] lb01b.01.snc2.tfbnw.net # [69.63.182.124] (no PTR) # [69.63.183.2] mlb01.03.snc3.tfbnw.net # [69.63.183.34] mlb01.01.sjc1.tfbnw.net # [69.63.183.82] mlb01.06.snc4.tfbnw.net # [69.63.183.98] mlb01.04.snc5.tfbnw.net # [69.63.183.114] mlb01.05.snc5.tfbnw.net # [69.63.184.89] lb11.01.ash1.tfbnw.net # [69.63.184.95] 1-1.lb05a.01.ash1.tfbnw.net # [69.63.184.125] 1-1.lb01b.ash1.tfbnw.net # [69.63.184.224] lb10.03.ash1.tfbnw.net # [69.63.184.238] lb03a.03.ash1.tfbnw.net # [69.63.184.241] lb02a.03.ash1.tfbnw.net # [69.63.184.242] lb02b.03.ash1.tfbnw.net # [69.63.185.13] 1-1.glb01a.ash1.tfbnw.net # [69.63.185.14] 1-1.glb01b.ash1.tfbnw.net # [69.63.185.29] (no PTR) # [69.63.185.30] # [69.63.186.201] lb11.06.ash1.tfbnw.net # [69.63.186.212] lb10.06.ash1.tfbnw.net # [69.63.186.213] lb12.06.ash1.tfbnw.net # [69.63.186.224] lb13.06.ash1.tfbnw.net # [69.63.186.227] 1-1.lb04a.06.ash1.tfbnw.net # [69.63.186.228] 1-1.lb04b.06.ash1.tfbnw.net # [69.63.186.238] 1-1.lb03a.06.ash1.tfbnw.net # [69.63.186.239] 1-1.lb03b.06.ash1.tfbnw.net # [69.63.186.241] 1-1.lb02a.06.ash1.tfbnw.net # [69.63.187.203] lb11.08.ash1.tfbnw.net # 2011/07/20- # [69.63.189.228] lb16.01.ash2.tfbnw.net # [69.63.189.229] lb15.01.ash2.tfbnw.net # [69.63.189.230] lb14.01.ash2.tfbnw.net # [69.63.189.231] lb13.01.ash2.tfbnw.net # [69.63.189.242] lb02b.01.ash2.tfbnw.net # [69.63.190.231] lb13.02.ash2.tfbnw.net # [69.63.190.232] lb12.02.ash2.tfbnw.net # [69.63.190.233] lb11.02.ash2.tfbnw.net # [69.63.190.234] lb10.02.ash2.tfbnw.net # 2011/05/11- # [69.63.177.92] lb01a.10.snc1.tfbnw.net # [69.63.177.93] lb01b.10.snc1.tfbnw.net # [69.171.224.227] lb17.01.prn1.tfbnw.net # [69.171.224.228] lb16.01.prn1.tfbnw.net # [69.171.224.230] lb14.01.prn1.tfbnw.net # [69.171.224.231] lb13.01.prn1.tfbnw.net # [69.171.224.232] lb12.01.prn1.tfbnw.net # [69.171.224.233] lb11.01.prn1.tfbnw.net # [69.171.224.234] lb10.01.prn1.tfbnw.net # [69.171.224.252] lb01a.01.prn1.tfbnw.net # [69.171.224.253] lb01b.01.prn1.tfbnw.net # [69.171.228.229] lb15.05.prn1.tfbnw.net # [69.171.228.230] lb14.05.prn1.tfbnw.net # [69.171.228.231] lb13.05.prn1.tfbnw.net # [69.171.228.233] lb11.05.prn1.tfbnw.net # [69.171.228.234] lb10.05.prn1.tfbnw.net # # [66.220.144.44] itlb01a.snc1.tfbnw.net # [66.220.144.45] itlb01b.snc1.tfbnw.net # [66.220.145.241] lb02a.01.snc4.tfbnw.net # [66.220.145.242] lb02b.01.snc4.tfbnw.net # [66.220.145.252] lb01a.01.snc4.tfbnw.net # [66.220.145.253] lb01b.01.snc4.tfbnw.net # [66.220.146.231] lb13.02.snc4.tfbnw.net # [66.220.146.232] lb12.02.snc4.tfbnw.net # [66.220.146.233] lb11.02.snc4.tfbnw.net # [66.220.146.252] lb01a.02.snc4.tfbnw.net # [66.220.146.253] lb01b.02.snc4.tfbnw.net # [66.220.147.231] lb13.04.snc4.tfbnw.net # [66.220.147.233] lb11.04.snc4.tfbnw.net # [66.220.147.234] lb10.04.snc4.tfbnw.net # [66.220.149.229] out-sw229.tfbnw.net # [66.220.149.231] lb13.02.snc5.tfbnw.net # [66.220.149.232] lb12.02.snc5.tfbnw.net # [66.220.149.234] lb10.02.snc5.tfbnw.net # [66.220.151.97] intlb01b.01.snc6.tfbnw.net # [66.220.151.105] lb11.01.snc6.tfbnw.net # [66.220.151.110] lb03a.01.snc6.tfbnw.net # [66.220.151.111] lb03b.01.snc6.tfbnw.net # [66.220.151.113] lb02a.01.snc6.tfbnw.net # [66.220.151.114] lb02b.01.snc6.tfbnw.net # [66.220.151.124] lb01a.01.snc6.tfbnw.net # [66.220.151.125] lb01b.01.snc6.tfbnw.net # 2011/07/20- # [66.220.153.231] lb13.03.ash2.tfbnw.net # [66.220.153.232] lb12.03.ash2.tfbnw.net # [66.220.153.233] lb11.03.ash2.tfbnw.net # [66.220.153.234] lb10.03.ash2.tfbnw.net # [66.220.155.105] lb11.05.ash2.tfbnw.net # [66.220.155.106] lb10.05.ash2.tfbnw.net # [66.220.155.124] lb01a.05.ash2.tfbnw.net # [66.220.155.125] lb01b.05.ash2.tfbnw.net # [66.220.156.231] lb13.01.tst1.tfbnw.net # [66.220.156.233] lb11.01.tst1.tfbnw.net # [66.220.156.234] lb10.01.tst1.tfbnw.net # [66.220.158.231] lb13.01.ash4.tfbnw.net # [66.220.158.232] lb12.01.ash4.tfbnw.net # [66.220.158.234] lb10.01.ash4.tfbnw.net # [66.220.158.252] lb01a.01.ash4.tfbnw.net # [66.220.158.253] lb01b.01.ash4.tfbnw.net # [69.63.183.179] lb02.01.pao1.tfbnw.net # [69.63.183.190] lb01.01.pao1.tfbnw.net # [69.63.183.195] lb02.02.pao1.tfbnw.net # [69.63.183.206] lb01.02.pao1.tfbnw.net # [69.63.188.93] lb01b.11.ash1.tfbnw.net # [69.171.227.231] lb13.01.snc7.tfbnw.net # [69.171.227.235] lb04a.01.snc7.tfbnw.net # [69.171.227.236] lb04b.01.snc7.tfbnw.net # [69.171.227.238] lb03a.01.snc7.tfbnw.net # [69.171.227.239] lb03b.01.snc7.tfbnw.net # [69.171.227.241] lb02a.01.snc7.tfbnw.net # [69.171.227.242] lb02b.01.snc7.tfbnw.net # [69.171.227.252] lb01a.01.snc7.tfbnw.net # [69.171.229.229] lb15.06.prn1.tfbnw.net # [69.171.229.230] lb14.06.prn1.tfbnw.net # [69.171.229.231] lb13.06.prn1.tfbnw.net # [69.171.229.233] lb11.06.prn1.tfbnw.net # [69.171.229.234] lb10.06.prn1.tfbnw.net #-[69.171.240.238] lb03a.02.ash4.tfbnw.net # [69.171.240.239] lb03b.02.ash4.tfbnw.net # [69.171.240.241] lb02a.02.ash4.tfbnw.net # [69.171.240.252] (no PTR) # [69.171.240.253] (no PTR) # [69.171.241.241] lb02a.01.ash3.tfbnw.net # [69.171.241.242] lb02b.01.ash3.tfbnw.net # [69.171.242.227] lb17.02.ash3.tfbnw.net # [69.171.242.228] lb16.02.ash3.tfbnw.net # [69.171.242.229] lb15.02.ash3.tfbnw.net # [69.171.242.230] lb14.02.ash3.tfbnw.net # [69.171.242.231] lb13.02.ash3.tfbnw.net # [69.171.242.232] lb12.02.ash3.tfbnw.net # [69.171.242.233] lb11.02.ash3.tfbnw.net # [69.171.242.234] lb10.02.ash3.tfbnw.net # [69.171.243.241] (no PTR) # [69.171.243.242] (no PTR) # 2012/01/22- #-[31.13.73.3] lb02.01.mia1.tfbnw.net # [31.13.73.14] lb01.01.mia1.tfbnw.net #-[31.13.73.19] lb02.02.mia1.tfbnw.net # [31.13.73.30] lb01.02.mia1.tfbnw.net # iptables -A INPUT -p udp -i eth0 -s 69.63.176.80/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.176.99 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.176.100 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.176.112/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.176.117 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.176.122 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.176.124/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.176.126 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.176.224/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.176.227 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.176.228 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.176.252/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.176.253 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.177.92/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.178.110/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.178.112/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.178.159 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.178.212/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.178.224/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.178.228 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.178.239 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.178.242 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.178.252/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.179.22 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.179.29 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.179.30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.179.124/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.180.203 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.180.212 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.180.227 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.180.228 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.180.238/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.180.240/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.181.203 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.181.212/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.181.226 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.181.252/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.182.124 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.183.2 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.183.34 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.183.82 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.183.98 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.183.114 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.183.179 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.183.190 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.183.195 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.183.206 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.184.89 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.184.91 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.184.95 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.184.124 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.184.125 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.184.224 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.184.238 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.184.241 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.184.242 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.185.13 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.185.14 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.185.29 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.185.30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.186.201 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.186.212/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.186.224/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.186.228/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.186.238/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.186.241 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.187.203 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.188.92/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.189.228/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.189.240/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.190.231 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.190.232/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.63.190.234 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.224.224/28 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.224.252/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.227.231 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.227.232/29 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.227.240/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.227.252/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.228.228/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.228.230/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.228.232/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.229.228/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.229.230/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.229.232/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.240.238/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.240.240/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.240.252/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.241.240/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.242.227 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.242.228/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.242.232/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 69.171.243.240/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.144.44/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.145.241 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.145.242 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.145.252/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.146.224/27 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.147.231 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.147.232/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.149.229 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.149.230/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.149.232/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.151.96/28 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.151.112/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.151.124/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.153.231 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.153.232/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.155.105 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.155.106 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.155.124/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.156.230/31 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.156.232/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.158.228/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.158.232/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 66.220.158.252/30 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 31.13.73.0/27 --dport 53 -j DROP ## Unknown root probes linksynergy/linkshare 2009-07-06- # [64.29.178.133] nyfw1.linksynergy.com # [208.187.91.250] 208-187-91-250.dataside.com # [65.245.193.4] (no PTR) (linkshare.com) iptables -A INPUT -p udp -i eth0 -s 64.29.178.133 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 208.187.91.250 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 65.245.193.4 --dport 53 -j DROP ## continuous root probes macrovision.com iptables -A INPUT -p udp -i eth0 -s 64.92.236.215 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 144.198.191.14 --dport 53 -j DROP ## BADOO-NET .ru continuous root probes 2012/01/17- iptables -A INPUT -p udp -i eth0 -s 31.222.72.0/29 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 31.222.74.0/29 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 31.222.76.0/29 --dport 53 -j DROP # OVGuide.com, Inc. Continuous root probe 2010/05/17- iptables -A INPUT -p udp -i eth0 -s 64.74.254.20 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 64.94.88.20 --dport 53 -j DROP ## global verizon.net root probe every 5 secs iptables -A INPUT -p udp -i eth0 -s 213.225.132.12 --dport 53 -j DROP # Verizon UK iptables -A INPUT -p udp -i eth0 -s 203.223.68.14 --dport 53 -j DROP # Verizon HK/JP iptables -A INPUT -p udp -i eth0 -s 164.109.16.10 --dport 53 -j DROP # Verizon US iptables -A INPUT -p udp -i eth0 -s 164.109.144.10 --dport 53 -j DROP # Verizon US iptables -A INPUT -p udp -i eth0 -s 194.174.16.153 --dport 53 -j DROP # Verizon DE ## Amazon EC2 probes "google.com" 2011/10- #[50.17.38.24] ec2-50-17-38-24.compute-1.amazonaws.com #[50.17.44.35] ec2-50-17-44-35.compute-1.amazonaws.com #[50.19.1.10] ec2-50-19-1-10.compute-1.amazonaws.com #[50.19.12.78] ec2-50-19-12-78.compute-1.amazonaws.com #[107.20.34.173] ec2-107-20-34-173.compute-1.amazonaws.com #[107.20.47.255] ec2-107-20-47-255.compute-1.amazonaws.com #[107.20.86.96] ec2-107-20-86-96.compute-1.amazonaws.com #[107.20.120.129] ec2-107-20-120-129.compute-1.amazonaws.com #[107.22.62.100] ec2-107-22-62-100.compute-1.amazonaws.com #[174.129.74.75] ec2-174-129-74-75.compute-1.amazonaws.com #[184.72.67.248] ec2-184-72-67-248.compute-1.amazonaws.com #[184.72.94.228] ec2-184-72-94-228.compute-1.amazonaws.com #[184.73.18.107] ec2-184-73-18-107.compute-1.amazonaws.com #[204.236.254.198] ec2-204-236-254-198.compute-1.amazonaws.com iptables -A INPUT -p udp -i eth0 -s 50.17.38.24 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 50.17.44.35 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 50.19.1.10 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 50.19.12.78 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 107.20.34.173 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 107.20.47.255 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 107.20.120.129 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 107.22.62.100 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 174.129.74.75 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 184.72.67.248 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 184.72.94.228 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 184.73.18.107 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 204.236.254.198 --dport 53 -j DROP ## Generic intrusion attempt ## ns1.fmpub.net [204.11.51.61] (no PTR), ns2.fmpub.net [208.78.169.236] (no PTR) ## Tries to probe root domain in 1930-2100 seconds interval ## after your query of "ns1.fmpub.net" et al ## ** also probes by TCP iptables -A INPUT -p udp -i eth0 -s 204.11.51.59 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 204.11.51.60 --dport 53 -j DROP # 2008/08/20- iptables -A INPUT -p udp -i eth0 -s 204.11.51.61 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 204.11.51.62 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 208.37.177.62 --dport 53 -j DROP # 2008/08/20- #iptables -A INPUT -p udp -i eth0 -s 208.78.169.234 --dport 53 -j DROP # 2008/08/20- iptables -A INPUT -p udp -i eth0 -s 208.78.169.235 --dport 53 -j DROP # 2008/08/20- iptables -A INPUT -p udp -i eth0 -s 208.78.169.236 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 208.78.169.237 --dport 53 -j DROP ## China # # 210.51.170.66 ns.xinnetdns.com (.cn)(no PTR) # 210.51.170.48 ns2.xinnetdns.com (.cn)(no PTR) # 123.100.7.202 ns.xinnet.cn (no PTR) # 123.100.7.203 ns2.xinnet.cn (no PTR) # 123.100.7.206 ns.xinnetdns.com (no PTR) # 123.100.7.207 ns2.xinnetdns.com (no PTR) # (2010-03-27-) # 61.155.152.84 ns.xinnet.cn (no PTR) # 61.155.152.85 ns2.xinnet.cn (no PTR) # 61.155.152.86 ns.xinnetdns.com (no PTR) # 61.155.152.87 ns2.xinnetdns.com (no PTR) # # Conventional query of authoritative entry on xinnetdns.com # will make it backprobe the queried entry on your nameserver. # ex. xinnet.cn, founderbn.com, toy-joy.com(spamsite) # ex. tianhong-china.com, paycenter.com.cn, kanpoucom.com, ts-hld.com, iwncomm.com # (installing similar A-IDS on your server should yield interesting results) iptables -A INPUT -p udp -i eth0 -s 210.51.170.48 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 210.51.170.66 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 210.51.170.67 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 123.100.7.202 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 123.100.7.203 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 123.100.7.206 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 123.100.7.207 --dport 53 -j DROP # ns2.xinnet.cn [123.100.7.200] (no PTR) backprobes on query to mydns8.cn, mydns8.com. iptables -A INPUT -p udp -i eth0 -s 123.100.7.200 --dport 53 -j DROP # (2010-03-27-) # ex. preboss.org askyaya.com csdnbj.com neoease.com idinnova.com gotoccie.cn ixiangban.com iptables -A INPUT -p udp -i eth0 -s 61.155.152.84/30 --dport 53 -j DROP # dns1.airchina.com.cn [202.96.17.36] (no PTR) # dns2.airchina.com.cn [202.96.17.35] (no PTR) # will backprobe something.airchina.com.cn on your query iptables -A INPUT -p udp -i eth0 -s 202.96.17.36 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 202.96.17.35 --dport 53 -j DROP # [218.5.77.19] dns.bizcn.com [218.93.205.110] [218.5.77.19] # will backprobe you the query iptables -A INPUT -p udp -i eth0 -s 218.5.77.19 --dport 53 -j DROP # ccb.cn, ccb.com.cn root probe per 38 minutes # after querying *.ccb.com.cn # ns.ccb.cn [202.106.80.65] (no PTR) # ns1.ccb.cn [219.142.89.65] (no PTR) iptables -A INPUT -p udp -i eth0 -s 202.106.80.65 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 219.142.89.65 --dport 53 -j DROP # CHINANET-IDC-XA root probe per 30minutes iptables -A INPUT -p udp -i eth0 -s 218.30.23.100 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 218.30.23.161 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 218.30.23.162 --dport 53 -j DROP # CHINANET-IDC-BJ root probe per 30minutes iptables -A INPUT -p udp -i eth0 -s 218.30.111.251 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 218.30.111.252 --dport 53 -j DROP # CHINANET-SC probe ".", and PTR of the server iptables -A INPUT -p udp -i eth0 -s 218.89.171.223 --dport 53 -j DROP # HANGZHOU-IDC-CENTER iptables -A INPUT -p udp -i eth0 -s 218.75.110.194 --dport 53 -j DROP # CHINANET-JS iptables -A INPUT -p udp -i eth0 -s 61.155.6.99 --dport 53 -j DROP # CNCGROUP-LN iptables -A INPUT -p udp -i eth0 -s 218.25.41.136 --dport 53 -j DROP # CNCGROUP-BJ probes PTR of reverse.of.DNS.server.in-addr.arpa iptables -A INPUT -p udp -i eth0 -s 202.108.12.66 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 202.108.12.67 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 202.108.12.72 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 202.108.12.112 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 202.108.12.113 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 202.108.252.182 --dport 53 -j DROP # CMNET-shanghai iptables -A INPUT -p udp -i eth0 -s 211.136.107.165 --dport 53 -j DROP # whjy.net (Wuhan academy of educational science) *.cn backprobe iptables -A INPUT -p udp -i eth0 -s 219.140.197.171 --dport 53 -j DROP # cnlink.net probing artxun.com, user.artxun.com, shop.artxun.com, mall.artxun.com, paimai.artxun.com, www.baidu.com, www.artron.net, www.findart.com.cn, www.51coin.com 2011-08-17~ iptables -A INPUT -p udp -i eth0 -s 116.213.73.78 --dport 53 -j DROP # [202.112.50.189] ns.sec.ccert.edu.cn probes "www.mit.edu" once/day 2011-09-16~ iptables -A INPUT -p udp -i eth0 -s 202.112.50.189 --dport 53 -j DROP # gslb01.cnlb.cn.mozilla.com, gslb02.cnlb.cn.mozilla.com load balancer root (.) probe # uses TCP scan iptables -A INPUT -p udp -i eth0 -s 59.151.50.247 --dport 53 -j DROP iptables -A INPUT -p udp -i eth0 -s 59.151.50.248 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 59.151.50.247 --dport 53 -j DROP iptables -A INPUT -p tcp -i eth0 -s 59.151.50.248 --dport 53 -j DROP # # Chinese kewl d00dz not listed; too many for explicit list
$Id: dnsprober.html,v 2.90 2012-03-13 09:49:03+09 kabe Exp $