3

I've just finished successfully configuring BIND to act as a caching server, and I'm pulling information directly from the 13 root servers (as a hint file) instead of using forwarders from someone else's DNS servers.

My named.conf file includes the following: 

    options {
         listen-on port 53 { 127.0.0.1; 10/8; };
         allow-query     { localhost; 127.0.0.1; 10/8; };
         {snip}
    }
    zone "." IN {
                type hint;
                file "named.ca";
    };

Not ready to deploy it out to the general public yet, I started BIND thinking I would just point my own computer's network adapter to use this as the new DNS server. I tested it to make sure it worked, and then gave the IP address to a few tech-savvy colleagues to start using it as well so that I can monitor this new working server over the next day or two.

But the thing that really confuses me is this: I've been running dnstop for the last 10 minutes, and I see that we have at least 18 devices talking to the server, and over 2,000 queries have already been made by several devices that were not told about the new DNS server.

Obviously I told it to listen within our entire 10/8 network. But I thought we would need to configure our routers (done by our network engineer, not me) to get everyone talking to this new DNS server.

Is there something blatent that I'm misunderstanding about how DNS works and how devices make DNS queries? My observations indicate to me that this new BIND server is "broadcasting" itself out so that several - if not all - devices across the network are aware of it.

David W
  • 3,469
  • 6
  • 38
  • 63

2 Answers2

1

DNS server assignments under DHCP are handed out by the DHCP server - not the routers specifically. Generalyl speaking, you are correct, a dns server that nobody is told about just sits there. However: A lot of computers with viruses on them may send many dns queries to many different IPs in order to find vulnerabilities and so on. The devices that have made queries, is there any way to find out what those queries are? That would give you some insight as to what is going on.

Aaron
  • 2,968
  • This is exactly what we suspected, after our network engineer and I put our heads together. Using Angry IP, we scanned a couple of the "rogue" IP addresses hitting the new DNS server, and from there were able to determine the users. I'll be contacting them soon to run some virus scans. – David W Jan 10 '12 at 22:25
0

Bind does not broadcast its existence. It is possible that your IP address was listed as the nameserver in some configurations.

It is also possible that some Malware is searching out your DNS server. There are a couple of ways you can see what is being requested.

  • Enable query logging on your bind server.
  • Use tcpdump or another packet sniffer to capture the incoming queries.

Then you will need to determine if these are legitimate queries or not. If the requests are appear to have a source address which can't reach your server directly, then it is likey malware that is sending the queries. For UDP queries you can't necessarily trust the source address. Faked source addresses have been used to launch DOS attacks on servers.

BillThor
  • 27,955
  • 3
  • 38
  • 69