Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DNS Attack ??

My PIX (ver 8.0) has 'ip audit' turned on and it is logging a lot of messages of this type:

IDS:6053 DNS all records request from <source_ip> to <dest_ip> on interface outside".

This messages indicate that there are dns queries 'type any' going on. My DNS servers are working properly. There are about 30 dns zones hosted on then. So, my questions are:

Is there any attack associated with this type of messages?

Is this type of traffic normal?

Is this type of queries commum?

Thanks in advance.

Paulo Roque

  • Firewalling

Re: DNS Attack ??

The description of your signature message is “Triggers on a DNS request for all records. This signature indicates that your network may be under reconnaissance”. Where "reconnaissance" means investigation, inspection, exploration, or survey so in my mind it might be an attack and not just an informative message.This message is generally associated to network scans based on dns query sent to your network. As per the below URL, this message is informative and does not suggest an attack on the network.

New Member

Re: DNS Attack ??

The only attack I can think of here is DDOS amplification attack - if someone sends DNS

UDP query to your server with forged source IP

this may potentially flood this IP with DNS requests it has never sent. But if your DNS server doesn't answer to such query then even this won't work.

Regarding scanning , probable too, but then I'd

also look in DNS server logs for denied attempts to do AXFR zone transfer. As this is a logical step to do when you are scanning a DNS for as much info as possible.

This widget could not be displayed.