Need help with a Security issue
-
heheh hey being a brony is not that shameful ;) While I have an excuse of having a 6 year old grand daughter for why I know most of the main characters names.. There are many people that embrace the brony tag..
edit:
On a side note I just noticed my box did a query for wpad.local.lan - JFC ms how do you turn that nonsense off?? I have tried everything I have found to try and disable that and still the queries come.. I even hand out loopback via dhcp and dns, but still the noise is there… Anyone know of a sure fire way to make windows stop asking for freaking wpad?? -
9/10 i see something strange on multicast DNS it's a printer or printer software.
-
Anyone know of a sure fire way to make windows stop asking for freaking wpad??
Don't hijack the thread, you thread-hijacker!!!
-
heheeh - nothing like a good hijack ;)
-
Thanks johnpoz , that's basically exactly what i needed.
i'm going to try that now and see if it works on my setup. -
Ok, this is the problem I'm having: (sample log)
I'm seeing a huge number of UDP port 53 packets leaving the WAN address (XX.XX.XX.XX).
It seems they are not going though unbound, or logging the queries isn't working correctly.I only have the Squid server package installed, and i can't figure out where hundreds of these packets are coming from. I thought they were Unbound activity, but now i'm confused.
Can anyone tell me what these are, what's likely generating them, and how i can figure out where they are coming from?
filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,48170,0,none,17,udp,73,XX.XX.XX.XX,199.212.0.53(tinnie.arin.net),15171,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,64143,0,none,17,udp,73,XX.XX.XX.XX,202.12.29.25(ns1.apnic.net),31831,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,19498,0,none,17,udp,84,XX.XX.XX.XX,168.95.192.3(vns1.hinet.net),25909,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,1265,0,none,17,udp,84,XX.XX.XX.XX,168.95.192.3(vns1.hinet.net),25275,53 unbound,[41964:1] info: 192.168.2.13(PC.localdomain) 42.100.161.218.in-addr.arpa. PTR IN,,,,,,,,,,,,,,,,,,,,, filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,4973,0,none,17,udp,84,XX.XX.XX.XX,168.95.1.15(ans2.hinet.net),41443,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,37586,0,none,17,udp,84,XX.XX.XX.XX,194.146.106.106(apnic1.dnsnode.net),6366,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,16405,0,none,17,udp,84,XX.XX.XX.XX,200.10.60.53(d.in-addr-servers.arpa),39344,53 unbound,[41964:0] info: 192.168.2.13(PC.localdomain) 42.100.161.218.in-addr.arpa. PTR IN,,,,,,,,,,,,,,,,,,,,, filterlog,59,16777216,,1000001581,igb0,match,block,in,4,0x0,,255,39482,0,none,17,udp,379,10.102.0.1,255.255.255.255,67,68 filterlog,59,16777216,,1000001581,igb0,match,block,in,4,0x0,,255,39479,0,none,17,udp,379,10.102.0.1,255.255.255.255,67,68 filterlog,59,16777216,,1000001581,igb0,match,block,in,4,0x0,,255,39478,0,none,17,udp,379,10.102.0.1,255.255.255.255,67,68 filterlog,59,16777216,,1000001581,igb0,match,block,in,4,0xc0,,1,61583,0,none,2,igmp,36,10.102.0.1,224.0.0.1(all-systems.mcast.net),datalength=12 , filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,46546,0,none,17,udp,73,XX.XX.XX.XX,193.0.9.11(lacnic.authdns.ripe.net),55023,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,44128,0,none,17,udp,83,XX.XX.XX.XX,200.27.2.7(ns2.telmexchile.cl),37449,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,48708,0,none,17,udp,74,XX.XX.XX.XX,200.27.2.2(ns.telmexchile.cl),21411,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,43427,0,none,17,udp,75,XX.XX.XX.XX,200.27.2.2(ns.telmexchile.cl),30226,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,13797,0,none,17,udp,75,XX.XX.XX.XX,200.27.2.2(ns.telmexchile.cl),38204,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,59747,0,none,17,udp,74,XX.XX.XX.XX,200.7.4.7(b.nic.cl),28141,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,3292,0,none,17,udp,74,XX.XX.XX.XX,200.27.2.7(ns2.telmexchile.cl),26460,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,4802,0,none,17,udp,74,XX.XX.XX.XX,204.61.216.30(cl-ns.anycast.pch.net),47636,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,46755,0,none,17,udp,75,XX.XX.XX.XX,200.7.4.7(b.nic.cl),8157,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,23473,0,none,17,udp,65,XX.XX.XX.XX,200.16.112.16(c.nic.cl),11759,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,35385,0,none,17,udp,75,XX.XX.XX.XX,192.5.4.1(sns-pb.isc.org),59833,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,45357,0,none,17,udp,74,XX.XX.XX.XX,192.5.5.241(f.root-servers.net),44470,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,32832,0,none,17,udp,75,XX.XX.XX.XX,198.41.0.4(a.root-servers.net),4924,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,39827,0,none,17,udp,75,XX.XX.XX.XX,192.36.148.17(i.root-servers.net),50921,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,8729,0,none,17,udp,74,XX.XX.XX.XX,192.203.230.10(e.root-servers.net),42172,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,5690,0,none,17,udp,83,XX.XX.XX.XX,200.160.11.50(a.arpa.dns.br),43916,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,8734,0,none,17,udp,83,XX.XX.XX.XX,199.253.183.183(b.in-addr-servers.arpa),20802,53 filterlog,107,16777216,,1000008011,igb0,match,pass,out,4,0x0,,64,23957,0,none,17,udp,83,XX.XX.XX.XX,203.113.131.2(dns4.vietel.com.vn),25050,53
-
well download that sniff - what are the queries for??
That first one on the list tinne.arin.net is a NS for afrinic.net domain
;; QUESTION SECTION:
;afrinic.net. IN NS;; ANSWER SECTION:
afrinic.net. 3600 IN NS ns1.afrinic.net.
afrinic.net. 3600 IN NS ns2.lacnic.net.
afrinic.net. 3600 IN NS ns2.afrinic.net.
afrinic.net. 3600 IN NS sec1.apnic.net.
afrinic.net. 3600 IN NS sec3.apnic.net.
afrinic.net. 3600 IN NS tinnie.arin.net.
afrinic.net. 3600 IN NS afrinic.authdns.ripe.net.;; ADDITIONAL SECTION:
ns1.afrinic.net. 3576 IN A 196.216.2.1
ns1.afrinic.net. 3576 IN AAAA 2001:42d0::200:2:1
ns2.afrinic.net. 3576 IN A 196.216.168.10
ns2.afrinic.net. 3576 IN AAAA 2001:43f8:120::10So you get how the resolver works right??? You ask for say www.google.com, and then the resolve walks down the tree from roots til it finds the authoritative server for the domain your looking for..
So yeah out your wan your going to see lots of queries to NS on 53.. If you turn up the logging to say 5 in unbound you will see what its doing, etc. Not going to look up all of those - but from just looking at the names you looked up on them can pretty much be sure they are just NS for domains, that your clients are trying to lookup and then need to be resolved to find the authoritative server for whatever.com, etc.
Do a simple dig +trace and you will get the idea of how resolving works..
here I cleaned it up a bit looking for www.pfsense.org
dig www.pfsense.org +trace
; <<>> DiG 9.11.0-P1 <<>> www.pfsense.org +trace
;; global options: +cmd
. 498539 IN NS a.root-servers.net.
. 498539 IN NS b.root-servers.net.
. 498539 IN NS c.root-servers.net.
. 498539 IN NS d.root-servers.net.
<snipped>;; Received 525 bytes from 192.168.9.253#53(192.168.9.253) in 0 msorg. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
<snipped>;; Received 817 bytes from 193.0.14.129#53(k.root-servers.net) in 93 mspfsense.org. 86400 IN NS ns1.netgate.com.
pfsense.org. 86400 IN NS ns2.netgate.com.
<snipped>;; Received 584 bytes from 199.19.54.1#53(b0.org.afilias-nst.org) in 78 mswww.pfsense.org. 300 IN A 208.123.73.69
pfsense.org. 300 IN NS ns1.netgate.com.
pfsense.org. 300 IN NS ns2.netgate.com.
;; Received 139 bytes from 162.208.119.38#53(ns2.netgate.com) in 46 ms</snipped></snipped></snipped> -
I ran a sniff on the router's WAN and on each interface.
I'm seeing queries for hordes of Russian and Chinese websites, even for.. unusual websites ending in dot m-i-l
The activity (not just the root servers) seems to occur even when all other machines are turned off at night.
As far as i can tell the queries are receiving what appear to be legit replies.If you turn up the logging to say 5 in unbound you will see what its doing, etc.
Can you tell me how do i do that? I want to be sure unbound is doing this, and there isn't something else more nefarious going on.
-
in the unbound advanced tab..
-
Thanks