Update 2 (Dec-2013):
The whois suggest the domain was moved to Enom, inc and has the following name servers:
packetdevil.com. 172800 IN NS ns1.packetdevil.com.
packetdevil.com. 172800 IN NS ns2.packetdevil.com.
ns1.packetdevil.com. 84134 IN A 192.184.82.100
ns2.packetdevil.com. 84126 IN A 192.184.82.100
Update 1 August 7: Seeing a.packetdevil.com as well. 253 A records.
02-Aug-2013 16:xx: client 89.248.168.219: query: packetdevil.com IN ANY +E
DNS entries have recently been removed or are currently being changed as not all DNS servers seem to return any entries. At least the following entries have been seen:
;packetdevil.com. IN ANY
;; ANSWER SECTION:
packetdevil.com. 85120 IN NS pat.ns.cloudflare.com.
packetdevil.com. 85120 IN NS hugh.ns.cloudflare.com.
;; ADDITIONAL SECTION:
hugh.ns.cloudflare.com. 86356 IN A 173.245.59.117
pat.ns.cloudflare.com. 86260 IN A 173.245.58.139
IPtables:
Seem some search queries for iptables rule to block this stuff. So here you go:iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0b504143 && 0x2c&0xDFDFDFDF=0x4b455444 && 0x30&0xDFDFDFDF=0x4556494c && 0x34&0xFFDFDFDF=0x03434f4d && 0x38&0xFFFFFFFF=0x0000ff00" -j DROP -m comment --comment "DROP DNS Q ANY packetdevil.com"
Added rule for a.packetdevil.com:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFFFDF=0x01410b50 && 0x2c&0xDFDFDFDF=0x41434b45 && 0x30&0xDFDFDFDF=0x54444556 && 0x34&0xDFDFFFDF=0x494c0343 && 0x38&0xDFDFFFFF=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q a.packetdevil.com"
For more iptables rules check my github:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt
Whois:
Registration Service Provided By: Namecheap.com
Contact:
Visit: http://namecheap.com
Registered through: eNom, Inc.
Domain name: packetdevil.com
Registrant Contact:
WhoisGuard, Inc.
WhoisGuard Protected ()
Fax:
P.O. Box 0823-03411
Panama, Panama NA
PA
Administrative Contact:
WhoisGuard, Inc.
WhoisGuard Protected (
+507.8365503
Fax: +51.17057182
P.O. Box 0823-03411
Panama, Panama NA
PA
Technical Contact:
WhoisGuard, Inc.
WhoisGuard Protected (
+507.8365503
Fax: +51.17057182
P.O. Box 0823-03411
Panama, Panama NA
PA
Status: Locked
Name Servers:
hugh.ns.cloudflare.com
pat.ns.cloudflare.com
Creation date: 24 May 2013 13:40:00
Expiration date: 24 May 2014 13:40:00
Source:
The IP 89.248.168.219 part of the Ecatel Network has been seen before:
26-Jun-2013 03:45:28.518 client 89.248.168.219: query: nukes.directedat.asia IN ANY +E
01-Jul-2013 22:59: client 89.248.168.219: query: 1rip.com IN A +E
01-Jul-2013 22:59: client 89.248.168.219: query: 1rip.com IN A +E
01-Jul-2013 22:59: client 89.248.168.219: query: 1rip.com IN A +E
18-Jul-2013 17:03: client 89.248.168.219: query: d.directedat.asia IN ANY +E
24-Jul-2013 18:43: client 89.248.168.219: query: d.directedat.asia IN ANY +E
02-Aug-2013 16:48: client 89.248.168.219: query: packetdevil.com IN ANY +E
I using centos5.5 and got this error 'iptables v1.3.5: Couldn't load match `u32':/lib/iptables/libipt_u32.so: cannot open shared object file: No such file or directory', how can I fix this?
ReplyDeleteFrom what I heard, CentOs does not support the IPtables u32 module.. So after a few people complained I've wrote rules that I think should work for you. You can find them on my github:
Deletehttps://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt
It uses the string module. Hope this works/helps you!
Thank you for your help but now I got this error 'iptables: Unknown error 4294967295'
DeleteBeats me.. sorry !
DeleteI just discovered my named server was being brought to its knees with messages that look like: named[29305]: client 24.2.64.93#2216: error sending response: unexpected error
ReplyDeleteSearching for the error did little. When I looked at packets via tcpdump and wireshark I saw "size limited during capture" in response to two simultaneous requests on consecutive IPs for a Standard query A a.packetdevil.com. I applied the packetdevil rules from the link in comments on my Centos 5.6 box and they worked! Thanks so much!
I am still seeing plenty of queries via tcpdump, but not in my log files. I am seeing ns1.fkfkfkfa.com now as well...