DNS Attack ??

pauloroque · ‎10-20-2008

My PIX (ver 8.0) has 'ip audit' turned on and it is logging a lot of messages of this type:

IDS:6053 DNS all records request from <source_ip> to <dest_ip> on interface outside".

This messages indicate that there are dns queries 'type any' going on. My DNS servers are working properly. There are about 30 dns zones hosted on then. So, my questions are:

Is there any attack associated with this type of messages?

Is this type of traffic normal?

Is this type of queries commum?

Thanks in advance.

Paulo Roque

bwilmoth · ‎10-24-2008

The description of your signature message is â€œTriggers on a DNS request for all records. This signature indicates that your network may be under reconnaissanceâ€. Where "reconnaissance" means investigation, inspection, exploration, or survey so in my mind it might be an attack and not just an informative message.This message is generally associated to network scans based on dns query sent to your network. As per the below URL, this message is informative and does not suggest an attack on the network.

yuri_slobodyanyuk · ‎10-24-2008

The only attack I can think of here is DDOS amplification attack - if someone sends DNS

UDP query to your server with forged source IP

this may potentially flood this IP with DNS requests it has never sent. But if your DNS server doesn't answer to such query then even this won't work.

Regarding scanning , probable too, but then I'd

also look in DNS server logs for denied attempts to do AXFR zone transfer. As this is a logical step to do when you are scanning a DNS for as much info as possible.