If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.
If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.
IPtables:
There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.
U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28=0x03303637 && 0x2c&0xFFDFDFFF=0x02435a00 && 0x30&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS Q 067.cz"
More U32 rules can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt
String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 50 --algo bm --hex-string '|0330363702637a0000ff|' -j DROP -m comment --comment "DROP DNS Q 067.cz"
More Iptables rules for the STRING module can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt
Source:
No IP source for this domain
Name server:
;; ANSWER SECTION:
067.cz. 958 IN NS ns4.gransy.com.
067.cz. 958 IN NS ns5.gransy.com.
067.cz. 958 IN NS ns3.gransy.com.
067.cz. 958 IN NS ns.gransy.com.
067.cz. 958 IN NS ns2.gransy.com.
Response:
A 14
DNSKEY 5
MX 4
NS 12
NSEC 2
RRSIG 10
SOA 3
SPF 3
TXT 4
Rsize 6684
Whois
% (c) 2006-2014 CZ.NIC, z.s.p.o.
%
% Intended use of supplied data and information
%
% Data contained in the domain name register, as well as information
% supplied through public information services of CZ.NIC association,
% are appointed only for purposes connected with Internet network
% administration and operation, or for the purpose of legal or other
% similar proceedings, in process as regards a matter connected
% particularly with holding and using a concrete domain name.
%
% Full text available at:
% http://www.nic.cz/page/306/intended-use-of-supplied-data-and-information/
%
% See also a search service at http://www.nic.cz/whois/
%
%
% Whoisd Server Version: 3.10.0
% Timestamp: Tue Nov 11 22:32:56 2014
domain: 067.cz
registrant: A24CONTACT-53436
admin-c: SB:SVIST21-S
nsset: NSS:GRANSY:3
registrar: REG-GRANSY
registered: 07.02.2013 15:06:26
changed: 11.01.2014 14:56:04
expire: 07.02.2015
contact: A24CONTACT-53436
org: Petr Koubský
name: Petr Koubský
address: Chvalova 1202/8
address: Praha 3
address: 130 00
address: CZ
registrar: REG-ACTIVE24
created: 01.12.2011 14:26:48
contact: SB:SVIST21-S
org: Svist 21 s.r.o.
name: Svist 21 s.r.o.
address: Dobrovskeho 36
address: Praha 7
address: 17000
address: CZ
registrar: REG-GRANSY
created: 05.10.2005 11:55:00
changed: 30.07.2014 09:47:05
nsset: NSS:GRANSY:3
nserver: ns.gransy.com
nserver: ns2.gransy.com
nserver: ns3.gransy.com
nserver: ns4.gransy.com
nserver: ns5.gransy.com
tech-c: GRANSY
registrar: REG-GRANSY
created: 01.10.2007 02:00:00
changed: 16.08.2010 00:39:13
contact: GRANSY
org: Gransy s.r.o.
name: Jan Horák
address: BoÅivojova 878/35
address: Praha 3
address: 130 00
address: CZ
phone: +420.732954549
fax-no: +420.226517341
e-mail: info@gransy.com
registrar: REG-MOJEID
created: 23.08.2004 17:35:00
changed: 20.04.2011 14:22:45
No comments:
Post a Comment