If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.
If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.
IPtables:
There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.
U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0a454e45 && 0x2c&0xDFDFDFDF=0x52475953 && 0x30&0xDFDFDFFF=0x54415203 && 0x34&0xDFDFDFFF=0x474f5600 && 0x38&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS ANY Q energystar.gov"
More U32 rules can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt
String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 58 --algo bm --hex-string '|0A656e657267797374617203676f760000ff|' -j DROP -m comment --comment "DROP DNS ANY Q energystar.gov"
More Iptables rules for the STRING module can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt
Source:
No IP source for this domain
Name server:
;; ANSWER SECTION:
energystar.gov. 21599 IN NS ns01-100.energystar.gov.
energystar.gov. 21599 IN NS ns02-100.energystar.gov.
Response:
A 21
AAAA 3
DNSKEY 11
MX 6
NS 16
NSEC 2
RRSIG 10
SOA 3
TXT 3
Rsize 5423
Whois
% DOTGOV WHOIS Server ready
Domain Name: ENERGYSTAR.GOV
Status: ACTIVE
>>> Last update of whois database: 2014-10-13T23:01:26Z <<<
Please be advised that this whois server only contains information pertaining
to the .GOV domain. For information for other domains please use the whois
server at RS.INTERNIC.NET.
No comments:
Post a Comment