If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.
If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.
IPtables:
There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.
U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0d465245 && 0x2c&0xDFFFDFDF=0x452d474f && 0x30&0xDFDFDFDF=0x4f474c45 && 0x34&0xFFFFFFDF=0x2d320743 && 0x38&0xDFDFDFDF=0x4c4f5544 && 0x3c&0xDFDFFFDF=0x4e53034f && 0x40&0xDFDFFF00=0x52470000" -j DROP -m comment --comment "DROP DNS Q free-google-2.cloudns.org"
More U32 rules can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt
String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 67 --algo bm --hex-string '|0D667265652d676f6f676c652d3207636c6f75646e73036f726700|' -j DROP -m comment --comment "DROP DNS Q free-google-2.cloudns.org"
More Iptables rules for the STRING module can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt
Source:
No IP source for this domain
Name server:
;; ANSWER SECTION:
cloudns.org. 3599 IN NS ns1.cloudns.net.
cloudns.org. 3599 IN NS ns2.cloudns.net.
cloudns.org. 3599 IN NS ns3.cloudns.net.
cloudns.org. 3599 IN NS ns4.cloudns.net.
Response:
A 128
MX 2
NS 4
SOA 1
Rsize 2250
Whois
Domain Name:CLOUDNS.ORG
Domain ID: D158423907-LROR
Creation Date: 2010-02-22T14:13:42Z
Updated Date: 2014-02-06T09:03:03Z
Registry Expiry Date: 2015-02-22T14:13:42Z
Sponsoring Registrar:PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Sponsoring Registrar IANA ID: 303
WHOIS Server:
Referral URL:
Domain Status: clientTransferProhibited
Registrant ID:DI_13293734
Registrant Name:Domain Administrator
Registrant Organization:Cloud DNS Ltd
Registrant Street: Iskar Str 4
Registrant Street: Lozenets
Registrant City:Sofia
Registrant State/Province:Sofia
Registrant Postal Code:1000
Registrant Country:BG
Registrant Phone:+359.888911444
Registrant Phone Ext:
Registrant Fax: +359.8889114441
Registrant Fax Ext:
Registrant Email:support@cloudns.net
Admin ID:DI_13293734
Admin Name:Domain Administrator
Admin Organization:Cloud DNS Ltd
Admin Street: Iskar Str 4
Admin Street: Lozenets
Admin City:Sofia
Admin State/Province:Sofia
Admin Postal Code:1000
Admin Country:BG
Admin Phone:+359.888911444
Admin Phone Ext:
Admin Fax: +359.8889114441
Admin Fax Ext:
Admin Email:support@cloudns.net
Tech ID:DI_13293734
Tech Name:Domain Administrator
Tech Organization:Cloud DNS Ltd
Tech Street: Iskar Str 4
Tech Street: Lozenets
Tech City:Sofia
Tech State/Province:Sofia
Tech Postal Code:1000
Tech Country:BG
Tech Phone:+359.888911444
Tech Phone Ext:
Tech Fax: +359.8889114441
Tech Fax Ext:
Tech Email:support@cloudns.net
Name Server:NS1.CLOUDNS.NET
Name Server:NS2.CLOUDNS.NET
Name Server:NS3.CLOUDNS.NET
Name Server:NS4.CLOUDNS.NET
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned
Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.
No comments:
Post a Comment