If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.
If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.
IPtables:
There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.
U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0541444d && 0x2c&0xDFDFFFDF=0x494e0e42 && 0x30&0xDFDFDFDF=0x4c55454f && 0x34&0xDFDFDFDF=0x52414e47 && 0x38&0xDFDFDFDF=0x45434152 && 0x3c&0xDFFFDFDF=0x4503434f && 0x40&0xDFFF0000=0x4d000000" -j DROP -m comment --comment "DROP DNS Q admin.blueorangecare.com"
More U32 rules can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt
String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 66 --algo bm --hex-string '|0561646d696e0E626c75656f72616e67656361726503636f6d00|' -j DROP -m comment --comment "DROP DNS Q admin.blueorangecare.com"
More Iptables rules for the STRING module can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt
Source:
74.125.128.101
Name server:
;; ANSWER SECTION:
blueorangecare.com. 21599 IN NS ns2.seekdotnet.com.
blueorangecare.com. 21599 IN NS ns1.seekdotnet.com.
Response:
TXT 10
Rsize 2670
Whois
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: BLUEORANGECARE.COM
Registrar: DOMAIN.COM, LLC
Whois Server: whois.domain.com
Referral URL: http://www.domain.com
Name Server: NS1.SEEKDOTNET.COM
Name Server: NS2.SEEKDOTNET.COM
Status: ok
Updated Date: 27-feb-2014
Creation Date: 05-feb-2006
Expiration Date: 05-feb-2015
>>> Last update of whois database: Sat, 15 Mar 2014 02:13:50 UTC <<<
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: BLUEORANGECARE.COM
Registry Domain ID: 335428018_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.domain.com
Registrar URL: www.domain.com
Updated Date: 2014-02-27 04:39:15
Creation Date: 2006-02-05 12:10:35
Registrar Registration Expiration Date: 2015-02-05 12:10:35
Registrar: Domain.com, LLC
Registrar IANA ID: 886
Registrar Abuse Contact Email: compliance@domain-inc.net
Registrar Abuse Contact Phone: +1.6027165396
Reseller: Dotster.com
Reseller: support@dotster-inc.com
Reseller: +1.8004015250
Domain Status: ok
Registry Registrant ID:
Registrant Name: unknown unknown
Registrant Organization: Mr. Bhail
Registrant Street: 81, Broad Walk
Registrant City: Heston
Registrant State/Province: Middlesex
Registrant Postal Code: TW5 9AA
Registrant Country: GB
Registrant Phone: 02085709000
Registrant Phone Ext:
Registrant Fax: 02085709000
Registrant Fax Ext:
Registrant Email: Jit@Bhail.com
Registry Admin ID:
Admin Name: unknown unknown
Admin Organization: Mr. Bhail
Admin Street: 81, Broad Walk
Admin City: Heston
Admin State/Province: Middlesex
Admin Postal Code: TW5 9AA
Admin Country: GB
Admin Phone: 02085709000
Admin Phone Ext:
Admin Fax: 02085709000
Admin Fax Ext:
Admin Email: Jit@Bhail.com
Registry Tech ID:
Tech Name: unknown unknown
Tech Organization: Mr. Bhail
Tech Street: 81, Broad Walk
Tech City: Heston
Tech State/Province: Middlesex
Tech Postal Code: TW5 9AA
Tech Country: GB
Tech Phone: 02085709000
Tech Phone Ext:
Tech Fax: 02085709000
Tech Fax Ext:
Tech Email: Jit@Bhail.com
Name Server: NS2.SEEKDOTNET.COM
Name Server: NS1.SEEKDOTNET.COM
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2014-02-27 04:39:15 <<<
Registration Service Provider:
Dotster.com, support@dotster-inc.com
+1.8004015250
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.
Did you not notice that Google Servers performed these attacks?
ReplyDeleteAll attacks originate from the following ranges (multple ip's from Google are involved): 74.125.0.0/16 and 173.194.0.0/16.
All attacks TXT queries and you will notice in the next few days that more Domains will be affected:
www.google.com TXT
www.youtube.com TXT
www.amazon.com TXT
www.yahoo.com TXT
www.ibm.com TXT
admin.wilyee.com TXT
admin.blueorangecare.com TXT
admin.brucechao.com TXT
I had to block incoming ipranges as described above. Google seems to have some Problems and their Servers are not under teir control. Or maybe it is Intention by Google.
Cheers