These hosts attempt to query unauthorized DNS zones on your DNS servers. Such activity has no legit usage, and is usually for probing vulnerable DNS servers to use for DNS Relay DDoS attacks. They could trigger various IDS warnings which will annoy you.
Out-of-box named(8) does not log these queries.
By setting /etc/named.conf to be
logging {
category "queries" { "default_syslog"; "default_debug"; };
}
|
Apr 11 18:55:39 sha named[22774]: client 63.245.209.126#31682: query: . IN A Apr 11 18:55:39 sha named[22774]: client 63.245.209.126#31682: query (cache) denied |
If your server does not deny these, Reconfigure Now! DNS Relay DDoS attacks will be launched from your server.
Following list is an excerpt of Linux iptables(8) setup script; converting to other firewall rules should be cheesy.
# Foreign DNS probes
## "Research activity"
# recursion-test.cymru.com
iptables -A INPUT -p udp -i eth0 -s 38.229.0.10 --dport 53 -j DROP
# Probe once a year in seek of open resolver
# aAAAAAAAAApPPPPPiIIIII.dYYYYmmddHHMMSSNNNNN.tNNNN.dnsresearch.cymru.com
# AAAAAAAAA is the probed IP address in uint32
# YYYYmmdd in GMT+4
iptables -A INPUT -p udp -i eth0 -s 38.229.1.72/31 --dport 53 -j DROP
# [192.172.226.155] dns-surveys-2.caida.org
# probes <cookie>.<cookie>.test1.openresolvers.org every week
iptables -A INPUT -p udp -i eth0 -s 192.172.226.155 --dport 53 -j DROP
## mass attack, of . query 2009-01-07-
## [63.251.28.10] NYCGSLB1.fwmrm.net
## [63.251.28.11] NYCns1-ext1.fwmrm.net
## [74.217.66.10] SVLGSLB1.fwmrm.net
## [74.217.66.11] SVLns1-ext1.fwmrm.net
iptables -A INPUT -p udp -i eth0 -s 63.251.28.10 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 63.251.28.11 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 74.217.66.10 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 74.217.66.11 --dport 53 -j DROP
## 10min interval . probe 2010-06-08-
## [75.98.70.10] NJBGSLB1.fwmrm.net
## [75.98.70.11] NJBns1-ext1.fwmrm.net
iptables -A INPUT -p udp -i eth0 -s 75.98.70.10/31 --dport 53 -j DROP
# [209.200.168.66] for-scanning-research.info-please-browse-to.http.deluvian.doxpara.com
# attempts zone transfer, not only query
iptables -A INPUT -p udp -i eth0 -s 209.200.168.66 --dport 53 -j DROP
# this.is.a.dns.study.gtisc.gatech.edu
iptables -A INPUT -p udp -i eth0 -s 143.215.130.36 --dport 53 -j DROP
# dnsstudy[123].cc.gt.atl.ga.us (continuous probe per 20 minutes)
iptables -A INPUT -p udp -i eth0 -s 143.215.129.43 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 143.215.129.102 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 143.215.129.200 --dport 53 -j DROP
# queries <cookie>.<cookie>.gtisc-dnsstudy.net once a day (wildcard *.gtisc-dnsstudy.net, gatech.edu) 2007/12/07-
iptables -A INPUT -p udp -i eth0 -s 143.215.143.13 --dport 53 -j DROP
# queries BASE64(<intsrc><ns><tgt><tstamp><cookie>/*32bytes*/).ports.dns-integrity-scan.com
# every 4-6 HOURS ([143.215.129.25] drudgeon4.cc.gt.atl.ga.us = ns1.dns-integrity-scan.com) 2008/07/12-
# Run by deluvian.doxpara.com
# WARNING: querying something.dns-integrity-scan.com will always return CNAME including unique cookie to track you
iptables -A INPUT -p udp -i eth0 -s 143.215.129.25 --dport 53 -j DROP
# [143.215.143.11] no PTR *.gatech.edu 2008/07/21-
# queries www.google.com, www.live.com, www.gmail.com, www.msn.com, com, net, yadda yadda several time AN HOUR
iptables -A INPUT -p udp -i eth0 -s 143.215.143.9 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 143.215.143.11 --dport 53 -j DROP
# [128.194.135.212] dns-crawler.irl.cs.tamu.edu et al probing www.google.com 2008/03-
iptables -A INPUT -p udp -i eth0 -s 128.194.135.81 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 128.194.135.104 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 128.194.135.212 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 128.194.135.223 --dport 53 -j DROP
# [149.20.52.*] network-scanner-*-for-more-info-see.public.dns-oarc.net (isc.org)
# probes VERSION.BIND/CH every week
iptables -A INPUT -p udp -i eth0 -s 149.20.52.128/25 --dport 53 -j DROP
# [149.20.54.35] dns-surveyor.measurement-factory.com (isc.org)
# probes "localhost." "a.root-servers.net" "www.google.com" every week
iptables -A INPUT -p udp -i eth0 -s 149.20.54.35 --dport 53 -j DROP
# another [149.20.58.131] dns-surveyor.measurement-factory.com (isc.org) 2008/10/10-
iptables -A INPUT -p udp -i eth0 -s 149.20.58.131 --dport 53 -j DROP
# whole [149.20.59.128]/25 seems to dedicated for scanning HOSTNAME.BIND, VERSION.BIND CH TXT every week
# ex. [149.20.59.155] dns-surveyor-155.dns-oarc.net
iptables -A INPUT -p udp -i eth0 -s 149.20.59.128/25 --dport 53 -j DROP
# [149.20.56.10] dan-kaminsky.dns-security-scan.info-at-http.www.doxdns5.com 2008/07/30-
# probes "not-an-attack.dan-kaminsky.browse-deluvian.doxpara.com"
# and massive names likely cached EVERY 5 MINUTES
# WARNING: querying www.doxdns5.com will return CNAME which tracks you!
# Resolves to [149.20.56.5]
iptables -A INPUT -p udp -i eth0 -s 149.20.56.10 --sport 10053 --dport 53 -j DROP
# [208.77.188.120] itar.iana.org (recursive.iana.org) probes iana.org and porttest.dns-oarc.net every week (2008/08/18-)
iptables -A INPUT -p udp -i eth0 -s 208.77.188.120 --dport 53 -j DROP
# queries qqqnnnnnnnnnn.xxxxxxxxxxxxxxx.dnsscan.de (Warning: includes Referer tracker!)
# [128.143.71.178] dnsns1.rst3n.de (dnsscan.de NS), dnsscan.cs.Virginia.EDU
# [128.143.71.179] dnsns2.rst3n.de (dnsscan.de NS), dnsscan2.cs.Virginia.EDU
iptables -A INPUT -p udp -i eth0 -s 128.143.71.178 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 128.143.71.179 --dport 53 -j DROP
## [149.20.54.35] dns-surveyor.measurement-factory.com
## probes for "<ns-node-name>.ns.<domain>" every 12 hours,
## probes "www.google.com" "localhost" "a.root-servers.net" every week
iptables -A INPUT -p udp -i eth0 -s 149.20.54.35 --dport 53 -j DROP
## RIPE Zone transfer attemps every month from [193.0.0.63]
iptables -A INPUT -p udp -i eth0 -s 193.0.0.0/22 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 193.0.0.0/22 --dport 53 -j DROP
## "Security check" for themselves only
# infospace.com probe per 38 minutes
# Big Fat LART on postmaster@infospace.com, abuse@internap.com, abuse@savvis.net
# may work; YMMV
iptables -A INPUT -p udp -i eth0 -s 66.150.2.10 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.150.2.11 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.150.2.14 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.150.2.15 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.150.2.51 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.150.2.52 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 72.53.193.5 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 72.53.193.6 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 204.9.88.9 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 204.9.88.10 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 204.9.88.13 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 204.9.88.14 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 204.9.88.51 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 204.9.88.52 --dport 53 -j DROP
## nintendo.com probes your server of your server PTR in 100 minutes interval
## after querying *.nintendo.com .
## "3DNS servers made by F5 Networks" improper configuration
## They don't follow subclassed PTR CNAME, which will in turn denied as usual.
iptables -A INPUT -p udp -i eth0 -s 192.195.204.8 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 192.195.204.10 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 205.166.76.8 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 205.166.76.11 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 205.166.76.12 --dport 53 -j DROP
## nintendo.com 100min interval root probe after querying *.nintendo.com 2010-07-28-
iptables -A INPUT -p udp -i eth0 -s 192.195.204.61 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 192.195.204.62 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 192.195.204.190 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 205.166.76.61 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 205.166.76.62 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 205.166.76.190 --dport 53 -j DROP
## attdns.com, backquerying bogus PTR of the NS
## likely another F5 3DNS
iptables -A INPUT -p udp -i eth0 -s 144.160.112.12 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 144.160.128.139 --dport 53 -j DROP
## asus.com, asus.com.tw DNS server (dns3.asus.com) probe per 38 minutes
## asus.com, dns7.asus.com 213.61.92.192 h-213.61.92.192.host.de.colt.net probe per 38 minutes
iptables -A INPUT -p udp -i eth0 -s 211.72.249.201 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 213.61.92.192 --dport 53 -j DROP
## adobe.com (peer1.net) root probe every 30secs 2010/1/6 18:56-
iptables -A INPUT -p udp -i eth0 -s 76.74.145.249 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 76.74.145.249 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 76.74.145.250 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 76.74.145.250 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 76.74.145.254 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 76.74.145.254 --dport 53 -j DROP
## adobe.com (peer1.net) root probe every 30secs 2010/7/4 04:03-
#iptables -A INPUT -p tcp -i eth0 -s 76.74.170.243/28 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 76.74.170.243 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 76.74.170.244 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 76.74.170.247 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 76.74.170.248 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 76.74.170.249 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 76.74.170.250 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 76.74.170.251 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 76.74.170.252 --dport 53 -j DROP
## global citrix.com mass root probes 2012/01/24-
# [62.200.22.2] firewall.ctxuk.citrix.com (firewall-dmz1.ctxuk.citrix.com)
# [63.110.51.11] (no PTR)
# [66.165.176.60] host60.citrix.com
# [203.166.19.130] firewall.citrix.com.au
iptables -A INPUT -p udp -i eth0 -s 62.200.22.2 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 63.110.51.11 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.165.176.60 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 203.166.19.130 --dport 53 -j DROP
## usc.edu mass root probes 2012/01/25-
# [128.125.253.76] mail-mip-gw.usc.edu
# [208.99.184.201] (no PTR) (*.usc.edu)
iptables -A INPUT -p udp -i eth0 -s 128.125.253.76 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 208.99.184.201 --dport 53 -j DROP
## "load balancer" (generally won't work, as client and PTR holder usually isn't nearby)
# mirror-image.com
iptables -A INPUT -p udp -i eth0 -s 65.216.72.15 --sport 55555 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 64.191.208.15 --sport 55555 --dport 53 -j DROP # ns1.instacontent.net
iptables -A INPUT -p udp -i eth0 -s 204.0.99.15 --sport 55555 --dport 53 -j DROP # ns2.instacontent.net
# (will query back your nameserver of the queried entry)
iptables -A INPUT -p udp -i eth0 -s 209.107.94.15 --sport 55555 --dport 53 -j DROP # ns3.instacontent.net, no PTR
# *.nl.mozilla.com. Probes by Citrix
iptables -A INPUT -p udp -i eth0 -s 63.245.209.126 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 63.245.213.10 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 63.245.213.101 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 63.245.213.102 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 63.245.213.124 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 63.245.213.126 --dport 53 -j DROP
# *.nl.mozilla.com. TCP scan on 53
iptables -A INPUT -p tcp -i eth0 -s 63.245.209.126 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 63.245.213.10 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 63.245.213.101 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 63.245.213.102 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 63.245.213.124 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 63.245.213.126 --dport 53 -j DROP
# Continuous root probe after querying *.revsci.net, *.lb-revsci.net 2008/08/06-
# [64.74.15.250] ns01.revsci.net (no PTR, NS of lb-revsci.net)
# [168.75.65.198] ns02.revsci.net (no PTR, NS of lb-revsci.net)
# [168.75.65.199] ns04.revsci.net (no PTR) root probe 2008/09/23-
# [168.75.65.203] (unknown, cluster member?)
# [168.75.65.204] (unknown, cluster member?)
# [209.249.141.45] ns03.revsci.net (ns01.revsci.net A mismatch, NS of lb-revsci.net)
# [209.249.141.181] (unknown, cluster member?)
# [209.249.141.182] (unknown, cluster member?)
# [38.96.134.230] ns04.revsci.net (no PTR, NS of lb-revsci.net)
iptables -A INPUT -p udp -i eth0 -s 64.74.15.250 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 168.75.65.198 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 168.75.65.199 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 168.75.65.199 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 168.75.65.203 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 168.75.65.204 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 209.249.141.45 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 209.249.141.181 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 209.249.141.182 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 38.96.134.230 --dport 53 -j DROP
# [80.67.64.10] fw01.cmbrmaks.akamai.com
# probes "nytimes.com" "www.nytimes.com" "cnn.com" several times a day 2008/12/04-
iptables -A INPUT -p udp -i eth0 -s 80.67.64.10 --dport 53 -j DROP
# [72.246.193.103] a72-246-193-103.deploy.akamaitechnologies.com 2009/03/10-
# [72.246.193.104] a72-246-193-104.deploy.akamaitechnologies.com 2009/03/07-
# mass queries cnn.com, google.com et al, UDP only
iptables -A INPUT -p udp -i eth0 -s 72.246.193.103 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 72.246.193.104 --dport 53 -j DROP
# [91.220.84.234] *.ru probes "google.com" several times a day 2011/10/22~
iptables -A INPUT -p udp -i eth0 -s 91.220.84.234 --dport 53 -j DROP
## facebook.com unknown root probes 2009/04/13-
## they tend to juggle server address to evade filters
# [69.63.176.100] lb07b.01.sf2p.tfbnw.net
# [69.63.176.113] lb05a-v310.sf2p.tfbnw.net
# [69.63.176.224] 1.1.lb05a.05.sf2p.tfbnw.net
# [69.63.178.239] 1-1.lb03b.01.snc1.tfbnw.net
# [69.63.184.91]
# [69.63.184.124] 1-1.lb01a.ash1.tfbnw.net
# 2009/06/22-
# [69.63.176.81] securelb01a.sf2p.tfbnw.net
# [69.63.176.82] securelb01b.sf2p.tfbnw.net
# [69.63.176.99] lb07a.01.sf2p.tfbnw.net
# [69.63.176.114] lb05b-v310.sf2p.tfbnw.net
# [69.63.176.117] lb02b-v310.sf2p.tfbnw.net
# [69.63.176.122] lb03a-v310.sf2p.tfbnw.net
# [69.63.176.125] lb04a-v310.sf2p.tfbnw.net
# [69.63.176.126] lb04b-v310.sf2p.tfbnw.net
# [69.63.176.225] 1.1.lb05b.05.sf2p.tfbnw.net
# [69.63.176.227] 1.1.lb04a.05.sf2p.facebook.com
# [69.63.176.228] 1.1.lb04b.05.sf2p.facebook.com
# [69.63.176.252] 1-1.lb01a.05.sf2p.facebook.com
# [69.63.176.253] 1-1.lb01b.05.sf2p.facebook.com
# [69.63.178.110] 1-1.lb03a.01.snc1.tfbnw.net
# [69.63.178.111] 1-1.lb03b.01.snc1.tfbnw.net
# [69.63.178.113] 1-1.lb05a.01.snc1.tfbnw.net
# [69.63.178.114] 1-1.lb05b.01.snc1.tfbnw.net
# [69.63.178.159] 1-1.lb10a.01.snc1.tfbnw.net
# [69.63.178.213] 1-1.lb06a.01.snc1.tfbnw.net
# [69.63.178.214] 1-1.lb06b.01.snc1.tfbnw.net
# [69.63.178.224] 1-1.lb05a.01.snc1.tfbnw.net
# [69.63.178.227] 1-1.lb04a.01.snc1.tfbnw.net
# [69.63.178.228] 1-1.lb04b.01.snc1.tfbnw.net
# [69.63.178.242] 1-1.lb02b.01.snc1.tfbnw.net
# [69.63.178.253] 1-1.lb01b.01.snc1.tfbnw.net
# [69.63.179.22] glb01.snc1.tfbnw.net
# [69.63.179.29] intlb01a.snc1.tfbnw.net
# [69.63.179.30] intlb01b.snc1.tfbnw.net
# [69.63.179.124] securelb01a.08.snc1.tfbnw.net
# [69.63.179.125] securelb01b.08.snc1.tfbnw.net
# [69.63.180.203] lb11.07.snc1.tfbnw.net
# [69.63.180.212] lb10.07.snc1.tfbnw.net
# [69.63.180.227] 1-1.lb04a.07.snc1.tfbnw.net
# [69.63.180.228] 1-1.lb04b.07.snc1.tfbnw.net
# [69.63.180.238] 1-1.lb03a.07.snc1.tfbnw.net
# [69.63.180.239] 1-1.lb03b.07.snc1.tfbnw.net
# [69.63.180.241] 1-1.lb02a.07.snc1.tfbnw.net
# [69.63.180.242] 1-1.lb02b.07.snc1.tfbnw.net
# [69.63.181.203] lb11.01.snc2.tfbnw.net
# [69.63.181.212] lb10.01.snc2.tfbnw.net
# [69.63.181.215] lb12.01.snc2.tfbnw.net
# [69.63.181.226] lb13.01.snc2.tfbnw.net
# [69.63.181.252] lb01a.01.snc2.tfbnw.net
# [69.63.181.253] lb01b.01.snc2.tfbnw.net
# [69.63.182.124] (no PTR)
# [69.63.183.2] mlb01.03.snc3.tfbnw.net
# [69.63.183.34] mlb01.01.sjc1.tfbnw.net
# [69.63.183.82] mlb01.06.snc4.tfbnw.net
# [69.63.183.98] mlb01.04.snc5.tfbnw.net
# [69.63.183.114] mlb01.05.snc5.tfbnw.net
# [69.63.184.89] lb11.01.ash1.tfbnw.net
# [69.63.184.95] 1-1.lb05a.01.ash1.tfbnw.net
# [69.63.184.125] 1-1.lb01b.ash1.tfbnw.net
# [69.63.184.224] lb10.03.ash1.tfbnw.net
# [69.63.184.238] lb03a.03.ash1.tfbnw.net
# [69.63.184.241] lb02a.03.ash1.tfbnw.net
# [69.63.184.242] lb02b.03.ash1.tfbnw.net
# [69.63.185.13] 1-1.glb01a.ash1.tfbnw.net
# [69.63.185.14] 1-1.glb01b.ash1.tfbnw.net
# [69.63.185.29] (no PTR)
# [69.63.185.30]
# [69.63.186.201] lb11.06.ash1.tfbnw.net
# [69.63.186.212] lb10.06.ash1.tfbnw.net
# [69.63.186.213] lb12.06.ash1.tfbnw.net
# [69.63.186.224] lb13.06.ash1.tfbnw.net
# [69.63.186.227] 1-1.lb04a.06.ash1.tfbnw.net
# [69.63.186.228] 1-1.lb04b.06.ash1.tfbnw.net
# [69.63.186.238] 1-1.lb03a.06.ash1.tfbnw.net
# [69.63.186.239] 1-1.lb03b.06.ash1.tfbnw.net
# [69.63.186.241] 1-1.lb02a.06.ash1.tfbnw.net
# [69.63.187.203] lb11.08.ash1.tfbnw.net
# 2011/07/20-
# [69.63.189.228] lb16.01.ash2.tfbnw.net
# [69.63.189.229] lb15.01.ash2.tfbnw.net
# [69.63.189.230] lb14.01.ash2.tfbnw.net
# [69.63.189.231] lb13.01.ash2.tfbnw.net
# [69.63.189.242] lb02b.01.ash2.tfbnw.net
# [69.63.190.231] lb13.02.ash2.tfbnw.net
# [69.63.190.232] lb12.02.ash2.tfbnw.net
# [69.63.190.233] lb11.02.ash2.tfbnw.net
# [69.63.190.234] lb10.02.ash2.tfbnw.net
# 2011/05/11-
# [69.63.177.92] lb01a.10.snc1.tfbnw.net
# [69.63.177.93] lb01b.10.snc1.tfbnw.net
# [69.171.224.227] lb17.01.prn1.tfbnw.net
# [69.171.224.228] lb16.01.prn1.tfbnw.net
# [69.171.224.230] lb14.01.prn1.tfbnw.net
# [69.171.224.231] lb13.01.prn1.tfbnw.net
# [69.171.224.232] lb12.01.prn1.tfbnw.net
# [69.171.224.233] lb11.01.prn1.tfbnw.net
# [69.171.224.234] lb10.01.prn1.tfbnw.net
# [69.171.224.252] lb01a.01.prn1.tfbnw.net
# [69.171.224.253] lb01b.01.prn1.tfbnw.net
# [69.171.228.229] lb15.05.prn1.tfbnw.net
# [69.171.228.230] lb14.05.prn1.tfbnw.net
# [69.171.228.231] lb13.05.prn1.tfbnw.net
# [69.171.228.233] lb11.05.prn1.tfbnw.net
# [69.171.228.234] lb10.05.prn1.tfbnw.net
#
# [66.220.144.44] itlb01a.snc1.tfbnw.net
# [66.220.144.45] itlb01b.snc1.tfbnw.net
# [66.220.145.241] lb02a.01.snc4.tfbnw.net
# [66.220.145.242] lb02b.01.snc4.tfbnw.net
# [66.220.145.252] lb01a.01.snc4.tfbnw.net
# [66.220.145.253] lb01b.01.snc4.tfbnw.net
# [66.220.146.231] lb13.02.snc4.tfbnw.net
# [66.220.146.232] lb12.02.snc4.tfbnw.net
# [66.220.146.233] lb11.02.snc4.tfbnw.net
# [66.220.146.252] lb01a.02.snc4.tfbnw.net
# [66.220.146.253] lb01b.02.snc4.tfbnw.net
# [66.220.147.231] lb13.04.snc4.tfbnw.net
# [66.220.147.233] lb11.04.snc4.tfbnw.net
# [66.220.147.234] lb10.04.snc4.tfbnw.net
# [66.220.149.229] out-sw229.tfbnw.net
# [66.220.149.231] lb13.02.snc5.tfbnw.net
# [66.220.149.232] lb12.02.snc5.tfbnw.net
# [66.220.149.234] lb10.02.snc5.tfbnw.net
# [66.220.151.97] intlb01b.01.snc6.tfbnw.net
# [66.220.151.105] lb11.01.snc6.tfbnw.net
# [66.220.151.110] lb03a.01.snc6.tfbnw.net
# [66.220.151.111] lb03b.01.snc6.tfbnw.net
# [66.220.151.113] lb02a.01.snc6.tfbnw.net
# [66.220.151.114] lb02b.01.snc6.tfbnw.net
# [66.220.151.124] lb01a.01.snc6.tfbnw.net
# [66.220.151.125] lb01b.01.snc6.tfbnw.net
# 2011/07/20-
# [66.220.153.231] lb13.03.ash2.tfbnw.net
# [66.220.153.232] lb12.03.ash2.tfbnw.net
# [66.220.153.233] lb11.03.ash2.tfbnw.net
# [66.220.153.234] lb10.03.ash2.tfbnw.net
# [66.220.155.105] lb11.05.ash2.tfbnw.net
# [66.220.155.106] lb10.05.ash2.tfbnw.net
# [66.220.155.124] lb01a.05.ash2.tfbnw.net
# [66.220.155.125] lb01b.05.ash2.tfbnw.net
# [66.220.156.231] lb13.01.tst1.tfbnw.net
# [66.220.156.233] lb11.01.tst1.tfbnw.net
# [66.220.156.234] lb10.01.tst1.tfbnw.net
# [66.220.158.231] lb13.01.ash4.tfbnw.net
# [66.220.158.232] lb12.01.ash4.tfbnw.net
# [66.220.158.234] lb10.01.ash4.tfbnw.net
# [66.220.158.252] lb01a.01.ash4.tfbnw.net
# [66.220.158.253] lb01b.01.ash4.tfbnw.net
# [69.63.183.179] lb02.01.pao1.tfbnw.net
# [69.63.183.190] lb01.01.pao1.tfbnw.net
# [69.63.183.195] lb02.02.pao1.tfbnw.net
# [69.63.183.206] lb01.02.pao1.tfbnw.net
# [69.63.188.93] lb01b.11.ash1.tfbnw.net
# [69.171.227.231] lb13.01.snc7.tfbnw.net
# [69.171.227.235] lb04a.01.snc7.tfbnw.net
# [69.171.227.236] lb04b.01.snc7.tfbnw.net
# [69.171.227.238] lb03a.01.snc7.tfbnw.net
# [69.171.227.239] lb03b.01.snc7.tfbnw.net
# [69.171.227.241] lb02a.01.snc7.tfbnw.net
# [69.171.227.242] lb02b.01.snc7.tfbnw.net
# [69.171.227.252] lb01a.01.snc7.tfbnw.net
# [69.171.229.229] lb15.06.prn1.tfbnw.net
# [69.171.229.230] lb14.06.prn1.tfbnw.net
# [69.171.229.231] lb13.06.prn1.tfbnw.net
# [69.171.229.233] lb11.06.prn1.tfbnw.net
# [69.171.229.234] lb10.06.prn1.tfbnw.net
#-[69.171.240.238] lb03a.02.ash4.tfbnw.net
# [69.171.240.239] lb03b.02.ash4.tfbnw.net
# [69.171.240.241] lb02a.02.ash4.tfbnw.net
# [69.171.240.252] (no PTR)
# [69.171.240.253] (no PTR)
# [69.171.241.241] lb02a.01.ash3.tfbnw.net
# [69.171.241.242] lb02b.01.ash3.tfbnw.net
# [69.171.242.227] lb17.02.ash3.tfbnw.net
# [69.171.242.228] lb16.02.ash3.tfbnw.net
# [69.171.242.229] lb15.02.ash3.tfbnw.net
# [69.171.242.230] lb14.02.ash3.tfbnw.net
# [69.171.242.231] lb13.02.ash3.tfbnw.net
# [69.171.242.232] lb12.02.ash3.tfbnw.net
# [69.171.242.233] lb11.02.ash3.tfbnw.net
# [69.171.242.234] lb10.02.ash3.tfbnw.net
# [69.171.243.241] (no PTR)
# [69.171.243.242] (no PTR)
# 2012/01/22-
#-[31.13.73.3] lb02.01.mia1.tfbnw.net
# [31.13.73.14] lb01.01.mia1.tfbnw.net
#-[31.13.73.19] lb02.02.mia1.tfbnw.net
# [31.13.73.30] lb01.02.mia1.tfbnw.net
#
iptables -A INPUT -p udp -i eth0 -s 69.63.176.80/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.176.99 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.176.100 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.176.112/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.176.117 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.176.122 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.176.124/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.176.126 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.176.224/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.176.227 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.176.228 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.176.252/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.176.253 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.177.92/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.178.110/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.178.112/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.178.159 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.178.212/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.178.224/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.178.228 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.178.239 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.178.242 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.178.252/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.179.22 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.179.29 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.179.30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.179.124/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.180.203 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.180.212 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.180.227 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.180.228 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.180.238/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.180.240/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.181.203 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.181.212/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.181.226 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.181.252/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.182.124 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.183.2 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.183.34 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.183.82 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.183.98 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.183.114 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.183.179 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.183.190 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.183.195 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.183.206 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.184.89 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.184.91 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.184.95 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.184.124 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.184.125 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.184.224 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.184.238 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.184.241 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.184.242 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.185.13 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.185.14 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.185.29 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.185.30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.186.201 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.186.212/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.186.224/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.186.228/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.186.238/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.186.241 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.187.203 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.188.92/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.189.228/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.189.240/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.190.231 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.190.232/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.63.190.234 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.224.224/28 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.224.252/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.227.231 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.227.232/29 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.227.240/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.227.252/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.228.228/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.228.230/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.228.232/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.229.228/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.229.230/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.229.232/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.240.238/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.240.240/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.240.252/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.241.240/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.242.227 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.242.228/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.242.232/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 69.171.243.240/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.144.44/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.145.241 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.145.242 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.145.252/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.146.224/27 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.147.231 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.147.232/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.149.229 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.149.230/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.149.232/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.151.96/28 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.151.112/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.151.124/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.153.231 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.153.232/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.155.105 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.155.106 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.155.124/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.156.230/31 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.156.232/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.158.228/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.158.232/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 66.220.158.252/30 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 31.13.73.0/27 --dport 53 -j DROP
## Unknown root probes linksynergy/linkshare 2009-07-06-
# [64.29.178.133] nyfw1.linksynergy.com
# [208.187.91.250] 208-187-91-250.dataside.com
# [65.245.193.4] (no PTR) (linkshare.com)
iptables -A INPUT -p udp -i eth0 -s 64.29.178.133 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 208.187.91.250 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 65.245.193.4 --dport 53 -j DROP
## continuous root probes macrovision.com
iptables -A INPUT -p udp -i eth0 -s 64.92.236.215 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 144.198.191.14 --dport 53 -j DROP
## BADOO-NET .ru continuous root probes 2012/01/17-
iptables -A INPUT -p udp -i eth0 -s 31.222.72.0/29 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 31.222.74.0/29 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 31.222.76.0/29 --dport 53 -j DROP
# OVGuide.com, Inc. Continuous root probe 2010/05/17-
iptables -A INPUT -p udp -i eth0 -s 64.74.254.20 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 64.94.88.20 --dport 53 -j DROP
## global verizon.net root probe every 5 secs
iptables -A INPUT -p udp -i eth0 -s 213.225.132.12 --dport 53 -j DROP # Verizon UK
iptables -A INPUT -p udp -i eth0 -s 203.223.68.14 --dport 53 -j DROP # Verizon HK/JP
iptables -A INPUT -p udp -i eth0 -s 164.109.16.10 --dport 53 -j DROP # Verizon US
iptables -A INPUT -p udp -i eth0 -s 164.109.144.10 --dport 53 -j DROP # Verizon US
iptables -A INPUT -p udp -i eth0 -s 194.174.16.153 --dport 53 -j DROP # Verizon DE
## Amazon EC2 probes "google.com" 2011/10-
#[50.17.38.24] ec2-50-17-38-24.compute-1.amazonaws.com
#[50.17.44.35] ec2-50-17-44-35.compute-1.amazonaws.com
#[50.19.1.10] ec2-50-19-1-10.compute-1.amazonaws.com
#[50.19.12.78] ec2-50-19-12-78.compute-1.amazonaws.com
#[107.20.34.173] ec2-107-20-34-173.compute-1.amazonaws.com
#[107.20.47.255] ec2-107-20-47-255.compute-1.amazonaws.com
#[107.20.86.96] ec2-107-20-86-96.compute-1.amazonaws.com
#[107.20.120.129] ec2-107-20-120-129.compute-1.amazonaws.com
#[107.22.62.100] ec2-107-22-62-100.compute-1.amazonaws.com
#[174.129.74.75] ec2-174-129-74-75.compute-1.amazonaws.com
#[184.72.67.248] ec2-184-72-67-248.compute-1.amazonaws.com
#[184.72.94.228] ec2-184-72-94-228.compute-1.amazonaws.com
#[184.73.18.107] ec2-184-73-18-107.compute-1.amazonaws.com
#[204.236.254.198] ec2-204-236-254-198.compute-1.amazonaws.com
iptables -A INPUT -p udp -i eth0 -s 50.17.38.24 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 50.17.44.35 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 50.19.1.10 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 50.19.12.78 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 107.20.34.173 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 107.20.47.255 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 107.20.120.129 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 107.22.62.100 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 174.129.74.75 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 184.72.67.248 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 184.72.94.228 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 184.73.18.107 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 204.236.254.198 --dport 53 -j DROP
## Generic intrusion attempt
## ns1.fmpub.net [204.11.51.61] (no PTR), ns2.fmpub.net [208.78.169.236] (no PTR)
## Tries to probe root domain in 1930-2100 seconds interval
## after your query of "ns1.fmpub.net" et al
## ** also probes by TCP
iptables -A INPUT -p udp -i eth0 -s 204.11.51.59 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 204.11.51.60 --dport 53 -j DROP # 2008/08/20-
iptables -A INPUT -p udp -i eth0 -s 204.11.51.61 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 204.11.51.62 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 208.37.177.62 --dport 53 -j DROP # 2008/08/20-
#iptables -A INPUT -p udp -i eth0 -s 208.78.169.234 --dport 53 -j DROP # 2008/08/20-
iptables -A INPUT -p udp -i eth0 -s 208.78.169.235 --dport 53 -j DROP # 2008/08/20-
iptables -A INPUT -p udp -i eth0 -s 208.78.169.236 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 208.78.169.237 --dport 53 -j DROP
## China
#
# 210.51.170.66 ns.xinnetdns.com (.cn)(no PTR)
# 210.51.170.48 ns2.xinnetdns.com (.cn)(no PTR)
# 123.100.7.202 ns.xinnet.cn (no PTR)
# 123.100.7.203 ns2.xinnet.cn (no PTR)
# 123.100.7.206 ns.xinnetdns.com (no PTR)
# 123.100.7.207 ns2.xinnetdns.com (no PTR)
# (2010-03-27-)
# 61.155.152.84 ns.xinnet.cn (no PTR)
# 61.155.152.85 ns2.xinnet.cn (no PTR)
# 61.155.152.86 ns.xinnetdns.com (no PTR)
# 61.155.152.87 ns2.xinnetdns.com (no PTR)
#
# Conventional query of authoritative entry on xinnetdns.com
# will make it backprobe the queried entry on your nameserver.
# ex. xinnet.cn, founderbn.com, toy-joy.com(spamsite)
# ex. tianhong-china.com, paycenter.com.cn, kanpoucom.com, ts-hld.com, iwncomm.com
# (installing similar A-IDS on your server should yield interesting results)
iptables -A INPUT -p udp -i eth0 -s 210.51.170.48 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 210.51.170.66 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 210.51.170.67 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 123.100.7.202 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 123.100.7.203 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 123.100.7.206 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 123.100.7.207 --dport 53 -j DROP
# ns2.xinnet.cn [123.100.7.200] (no PTR) backprobes on query to mydns8.cn, mydns8.com.
iptables -A INPUT -p udp -i eth0 -s 123.100.7.200 --dport 53 -j DROP
# (2010-03-27-)
# ex. preboss.org askyaya.com csdnbj.com neoease.com idinnova.com gotoccie.cn ixiangban.com
iptables -A INPUT -p udp -i eth0 -s 61.155.152.84/30 --dport 53 -j DROP
# dns1.airchina.com.cn [202.96.17.36] (no PTR)
# dns2.airchina.com.cn [202.96.17.35] (no PTR)
# will backprobe something.airchina.com.cn on your query
iptables -A INPUT -p udp -i eth0 -s 202.96.17.36 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 202.96.17.35 --dport 53 -j DROP
# [218.5.77.19] dns.bizcn.com [218.93.205.110] [218.5.77.19]
# will backprobe you the query
iptables -A INPUT -p udp -i eth0 -s 218.5.77.19 --dport 53 -j DROP
# ccb.cn, ccb.com.cn root probe per 38 minutes
# after querying *.ccb.com.cn
# ns.ccb.cn [202.106.80.65] (no PTR)
# ns1.ccb.cn [219.142.89.65] (no PTR)
iptables -A INPUT -p udp -i eth0 -s 202.106.80.65 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 219.142.89.65 --dport 53 -j DROP
# CHINANET-IDC-XA root probe per 30minutes
iptables -A INPUT -p udp -i eth0 -s 218.30.23.100 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 218.30.23.161 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 218.30.23.162 --dport 53 -j DROP
# CHINANET-IDC-BJ root probe per 30minutes
iptables -A INPUT -p udp -i eth0 -s 218.30.111.251 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 218.30.111.252 --dport 53 -j DROP
# CHINANET-SC probe ".", and PTR of the server
iptables -A INPUT -p udp -i eth0 -s 218.89.171.223 --dport 53 -j DROP
# HANGZHOU-IDC-CENTER
iptables -A INPUT -p udp -i eth0 -s 218.75.110.194 --dport 53 -j DROP
# CHINANET-JS
iptables -A INPUT -p udp -i eth0 -s 61.155.6.99 --dport 53 -j DROP
# CNCGROUP-LN
iptables -A INPUT -p udp -i eth0 -s 218.25.41.136 --dport 53 -j DROP
# CNCGROUP-BJ probes PTR of reverse.of.DNS.server.in-addr.arpa
iptables -A INPUT -p udp -i eth0 -s 202.108.12.66 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 202.108.12.67 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 202.108.12.72 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 202.108.12.112 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 202.108.12.113 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 202.108.252.182 --dport 53 -j DROP
# CMNET-shanghai
iptables -A INPUT -p udp -i eth0 -s 211.136.107.165 --dport 53 -j DROP
# whjy.net (Wuhan academy of educational science) *.cn backprobe
iptables -A INPUT -p udp -i eth0 -s 219.140.197.171 --dport 53 -j DROP
# cnlink.net probing artxun.com, user.artxun.com, shop.artxun.com, mall.artxun.com, paimai.artxun.com, www.baidu.com, www.artron.net, www.findart.com.cn, www.51coin.com 2011-08-17~
iptables -A INPUT -p udp -i eth0 -s 116.213.73.78 --dport 53 -j DROP
# [202.112.50.189] ns.sec.ccert.edu.cn probes "www.mit.edu" once/day 2011-09-16~
iptables -A INPUT -p udp -i eth0 -s 202.112.50.189 --dport 53 -j DROP
# gslb01.cnlb.cn.mozilla.com, gslb02.cnlb.cn.mozilla.com load balancer root (.) probe
# uses TCP scan
iptables -A INPUT -p udp -i eth0 -s 59.151.50.247 --dport 53 -j DROP
iptables -A INPUT -p udp -i eth0 -s 59.151.50.248 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 59.151.50.247 --dport 53 -j DROP
iptables -A INPUT -p tcp -i eth0 -s 59.151.50.248 --dport 53 -j DROP
#
# Chinese kewl d00dz not listed; too many for explicit list
$Id: dnsprober.html,v 2.90 2012-03-13 09:49:03+09 kabe Exp $