[dns-operations] bind-9.9.4-P1 crash

Dnsbed Ops ops at dnsbed.com
Wed Dec 18 06:02:15 UTC 2013 

I am glad to see there is an administrator from google.
In fact our nameservers have blocked a lot of IPs from google:

DROP       all  --  173.194.99.0/24      0.0.0.0/0
DROP       all  --  74.125.16.210        0.0.0.0/0
DROP       all  --  74.125.41.17         0.0.0.0/0
DROP       all  --  74.125.191.82        0.0.0.0/0
DROP       all  --  74.125.41.19         0.0.0.0/0
DROP       all  --  74.125.16.215        0.0.0.0/0
DROP       all  --  74.125.41.18         0.0.0.0/0
DROP       all  --  74.125.41.20         0.0.0.0/0
DROP       all  --  74.125.191.84        0.0.0.0/0
DROP       all  --  74.125.16.212        0.0.0.0/0
DROP       all  --  74.125.191.81        0.0.0.0/0
DROP       all  --  74.125.191.83        0.0.0.0/0
DROP       all  --  74.125.41.16         0.0.0.0/0
DROP       all  --  74.125.16.80         0.0.0.0/0
DROP       all  --  74.125.16.214        0.0.0.0/0
DROP       all  --  74.125.191.80        0.0.0.0/0
DROP       all  --  74.125.16.81         0.0.0.0/0
DROP       all  --  74.125.16.213        0.0.0.0/0
DROP       all  --  74.125.16.83         0.0.0.0/0
DROP       all  --  74.125.16.84         0.0.0.0/0
DROP       all  --  74.125.16.82         0.0.0.0/0
DROP       all  --  74.125.16.208        0.0.0.0/0
DROP       all  --  74.125.16.211        0.0.0.0/0
DROP       all  --  74.125.16.209        0.0.0.0/0
DROP       all  --  74.125.178.18        0.0.0.0/0
DROP       all  --  74.125.178.19        0.0.0.0/0
DROP       all  --  74.125.176.81        0.0.0.0/0
DROP       all  --  74.125.19.213        0.0.0.0/0
DROP       all  --  74.125.177.18        0.0.0.0/0
DROP       all  --  74.125.178.23        0.0.0.0/0
DROP       all  --  74.125.42.20         0.0.0.0/0
DROP       all  --  74.125.177.19        0.0.0.0/0
DROP       all  --  74.125.42.16         0.0.0.0/0
DROP       all  --  74.125.42.16         0.0.0.0/0
DROP       all  --  74.125.42.18         0.0.0.0/0
DROP       all  --  74.125.177.20        0.0.0.0/0
DROP       all  --  74.125.40.21         0.0.0.0/0
DROP       all  --  74.125.178.22        0.0.0.0/0
DROP       all  --  74.125.178.16        0.0.0.0/0
DROP       all  --  74.125.40.17         0.0.0.0/0
DROP       all  --  74.125.185.17        0.0.0.0/0
DROP       all  --  74.125.185.22        0.0.0.0/0
DROP       all  --  74.125.185.21        0.0.0.0/0
DROP       all  --  74.125.40.22         0.0.0.0/0
DROP       all  --  74.125.185.20        0.0.0.0/0
DROP       all  --  74.125.19.210        0.0.0.0/0
DROP       all  --  74.125.185.18        0.0.0.0/0
DROP       all  --  74.125.176.144       0.0.0.0/0
DROP       all  --  74.125.185.19        0.0.0.0/0
DROP       all  --  74.125.185.23        0.0.0.0/0
DROP       all  --  74.125.177.16        0.0.0.0/0
DROP       all  --  74.125.42.19         0.0.0.0/0
DROP       all  --  74.125.42.17         0.0.0.0/0
DROP       all  --  74.125.177.17        0.0.0.0/0

All the queries from those IPs are going with this style:
74.125.191.84#63255: query: qalljrwww.byw.so
74.125.41.20#53581: query: womciswww.byw.so

And the count is huge. So I dropped them.
Can you help take a look from your end?

Thanks.

On 2013-12-18 11:59, Damian Menscher wrote:
> I'm interested in more details.  In particular, it would help to know:
>    - is the trigger a well-formed DNS query or a crafted packet?
>    - does this affect authoritative servers or recursives?
>    - or is the problem actually in the response (through a recursive)
> from some evil authoritative server?
>
> Even if you don't want to share the specifics, knowing the answers to
> these questions would help people judge the risks.
>

More information about the dns-operations mailing list