If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.
If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.
IPtables:
There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.
U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x094e4c48 && 0x2c&0xDFDFDFDF=0x4f535449 && 0x30&0xDFDFFFDF=0x4e47024e && 0x34&0xDFFFFFFF=0x4c0000FF" -j DROP -m comment --comment "DROP DNS Q nlhosting.nl"
More U32 rules can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt
String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 56 --algo bm --hex-string '|096e6c686f7374696e67026e6c0000ff|' -j DROP -m comment --comment "DROP DNS Q nlhosting.nl"
More Iptables rules for the STRING module can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt
Source:
No IP source for this domain
Name server:
;; ANSWER SECTION:
nlhosting.nl. 10799 IN NS ns.nlhosting.net.
nlhosting.nl. 10799 IN NS ns1.nlhosting.net.
Response:
A 14
DNSKEY 4
MX 4
NS 9
NSEC3PARAM 2
RRSIG 9
SOA 2
TXT 2
TYPE65534 3
Rsize 3635
Whois
Domain name: nlhosting.nl
Status: active
Registrar:
NL Hosting Internet Solutions bv
Kerkstraat 1
6669DA DODEWAARD
Netherlands
DNSSEC: yes
Domain nameservers:
ns.nlhosting.net
ns1.nlhosting.net
Record maintained by: NL Domain Registry
Copyright notice
No part of this publication may be reproduced, published, stored in a
retrieval system, or transmitted, in any form or by any means,
electronic, mechanical, recording, or otherwise, without prior
permission of the Foundation for Internet Domain Registration in the
Netherlands (SIDN).
These restrictions apply equally to registrars, except in that
reproductions and publications are permitted insofar as they are
reasonable, necessary and solely in the context of the registration
activities referred to in the General Terms and Conditions for .nl
Registrars.
Any use of this material for advertising, targeting commercial offers or
similar activities is explicitly forbidden and liable to result in legal
action. Anyone who is aware or suspects that such activities are taking
place is asked to inform the Foundation for Internet Domain Registration
in the Netherlands.
(c) The Foundation for Internet Domain Registration in the Netherlands
(SIDN) Dutch Copyright Act, protection of authors' rights (Section 10,
subsection 1, clause 1).
Great article, it was very helpful! I just started in this and I'm getting to know it better! Cheers, keep up the good work!
ReplyDeleteDomain Registration