DNS scans

[speed01]

Can anyone tell me why I am getting almost constant DNS scans?

Here's the situation;
Late last week my DSL provider decided to switch from a static IP scheme to dynamic. The whole time I had a static address I never got scanned for DNS resolution. Now, I'm constantly getting hit and it's getting really annoying.

Here's the setup;
I've got a W2K AS box doing DNS resolution for the internal network. 3 boxen pointing only to the server for DNS and the server pointing to the router which then get's the DNS address through DHCP from the provider. None of the machines are pointing directly to the web for anything so I can't see how any of them could possibly be advertising a DNS server to the internet.

If more in-depth configuration is needed, just ask.

Thanks.

 

[Saltin]

Is your DNS server set up as a forwarder? That would be the best way to run it.
I assume the DNS server IP you pull from you ISP is generally the same IP?
Set up your DNS to forward to that address, and make your DNS server a client of itself.

As for you getting scans, look and see what IP's / adapters your DNS is listening on. Ensure that it is only the internal subnet.

 

[n0cmonkey]

What kind of scans are we talking about? Someone just looking for open port 53? Also, where are they coming from? Maybe there is a new BIND exploit out there or something...

 

[speed01]

None of the scans I'm registering in my router logs are coming from the internal network. They are all coming from different external addresses. They aren't even all coming from the same subnet, I just keep getting nailed with constant scans to port 53 and can't even attempt to keep up with them to see if they are from the same addresses, as soon as I try to track one down, another 50 or so come in. Man this is getting to be a pain!!

 

[bsobel]

Welcome to the Internet. If your router/firewall is correctly blocking this traffic ignore it (its really all you can do).
Bill

 

[n0cmonkey]

First thing you want to do is make sure they cant access it! Then see if you have anything misconfigured, or anything resolving names (these maybe legitimate responses to your requests?).

 

[speed01]

I had my DNS entry on the server set to the same address as the router but changed it to itself and the router only because I thought that may be the problem. Needless to say, I was wrong. This crap just keeps going on and on. I got another 35 scans in the time it took me to type this.....

 

[speed01]

So far the router is keeping everything out, it's more of a nuisance than anything else, and boy does that router log get fat quick this way. Since this didn't happen until this static/dynamic switch occurred, I wouldn't think it would be anything on my end but I have been known to be mistaken on an occasion or two.....