freebsd security - Jul 2009 - DNS probe sources

These source addresses are likely spoofed, but am still curious whether
other FreeBSD admins saw a preponderance of DNS probes originating from
Microsoft corp subnets ahead of the recent ISC bind vulnerability
announcement?

Roger Marquis


  Jul 28 16:51:23 PDT named[...]: client 94.245.67.253#10546: query (cache)
'output.txt/A/IN' denied
  Jul 28 16:51:23 PDT named[...]: client 94.245.67.253#10543: query (cache)
'output.txt/A/IN' denied
  Jul 28 16:51:18 PDT named[...]: client 94.245.67.253#10546: query (cache)
'output.txt/A/IN' denied
  Jul 28 16:51:18 PDT named[...]: client 94.245.67.253#10543: query (cache)
'output.txt/A/IN' denied
  Jul 28 16:51:13 PDT named[...]: client 94.245.67.253#10546: query (cache)
'output.txt/A/IN' denied
  Jul 28 16:51:13 PDT named[...]: client 94.245.67.253#10543: query (cache)
'output.txt/A/IN' denied
  Jul 28 16:51:08 PDT named[...]: client 94.245.67.253#10370: query (cache)
'>/A/IN' denied
  Jul 28 16:51:08 PDT named[...]: client 94.245.67.253#10366: query (cache)
'>/A/IN' denied
  Jul 28 16:51:03 PDT named[...]: client 94.245.67.253#10370: query (cache)
'>/A/IN' denied
  Jul 28 16:51:03 PDT named[...]: client 94.245.67.253#10366: query (cache)
'>/A/IN' denied
  Jul 28 16:50:58 PDT named[...]: client 94.245.67.253#10370: query (cache)
'>/A/IN' denied
  Jul 28 16:50:58 PDT named[...]: client 94.245.67.253#10366: query (cache)
'>/A/IN' denied
  Jul 28 07:25:45 PDT named[...]: client 207.46.57.240#37973: query (cache)
'output.txt/A/IN' denied
  Jul 28 07:25:45 PDT named[...]: client 207.46.57.240#37959: query (cache)
'>/A/IN' denied
  ...
  Jul 27 23:24:47 PDT named[...]: client 94.245.67.253#55561: query (cache)
'output.txt/A/IN' denied
  Jul 27 23:24:32 PDT named[...]: client 94.245.67.253#55354: query (cache)
'>/A/IN' denied
  Jul 27 15:10:33 PDT named[...]: client 207.46.57.240#17255: query (cache)
'output.txt/A/IN' denied
  Jul 27 15:10:33 PDT named[...]: client 207.46.57.240#17242: query (cache)
'>/A/IN' denied
  ...
  Jul 24 07:21:22 PDT named[...]: client 94.245.67.253#15828: query (cache)
'output.txt/A/IN' denied
  Jul 24 07:21:07 PDT named[...]: client 94.245.67.253#15637: query (cache)
'>/A/IN' denied
  Jul 24 06:10:30 PDT named[...]: client 207.46.57.240#59717: query (cache)
'output.txt/A/IN' denied
  Jul 24 06:10:30 PDT named[...]: client 207.46.57.240#59707: query (cache)
'>/A/IN' denied
  ...

On Thu, Jul 30, 2009 at 07:58:17AM -0700, Roger Marquis
wrote:
> These source addresses are likely spoofed, but am still curious whether
> other FreeBSD admins saw a preponderance of DNS probes originating from
> Microsoft corp subnets ahead of the recent ISC bind vulnerability
> announcement?
Running djbdns here...
> 
> Roger Marquis
> 
-- 
Brian Reichert				<reichert@numachi.com>
55 Crystal Ave. #286			Daytime number: (603) 434-6842
Derry NH 03038-1725 USA			BSD admin/developer at large