10-20-2008 08:59 AM - edited 03-12-2019 05:58 PM
My PIX (ver 8.0) has 'ip audit' turned on and it is logging a lot of messages of this type:
IDS:6053 DNS all records request from <source_ip> to <dest_ip> on interface outside".
This messages indicate that there are dns queries 'type any' going on. My DNS servers are working properly. There are about 30 dns zones hosted on then. So, my questions are:
Is there any attack associated with this type of messages?
Is this type of traffic normal?
Is this type of queries commum?
Thanks in advance.
Paulo Roque
10-24-2008 10:37 AM
The description of your signature message is âTriggers on a DNS request for all records. This signature indicates that your network may be under reconnaissanceâ. Where "reconnaissance" means investigation, inspection, exploration, or survey so in my mind it might be an attack and not just an informative message.This message is generally associated to network scans based on dns query sent to your network. As per the below URL, this message is informative and does not suggest an attack on the network.
10-24-2008 09:37 PM
The only attack I can think of here is DDOS amplification attack - if someone sends DNS
UDP query to your server with forged source IP
this may potentially flood this IP with DNS requests it has never sent. But if your DNS server doesn't answer to such query then even this won't work.
Regarding scanning , probable too, but then I'd
also look in DNS server logs for denied attempts to do AXFR zone transfer. As this is a logical step to do when you are scanning a DNS for as much info as possible.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: