Page 1 of 1

CentOS 7 generating Unknown DNS Requests

Posted: 2021/04/28 16:58:58
by srijit92
Hi,

I have a freshly installed CentOS Server with bind installed as caching only DNS Server where only a specific IP Pool is whitelisted for query. But in DNS Query log I see unknown request generated from the server itself (127.0.0.1) as shown below. What could be the issue? Is the server hacked?

28-Apr-2021 22:05:35.315 client @0x7f38ac0d4090 127.0.0.1#49562 (187-60-173-142.linharesonline.com.br): query: 187-60-173-142.linharesonline.com.br IN A + (127.0.0.1)
28-Apr-2021 22:05:35.315 client @0x7f38ac0e2830 127.0.0.1#49562 (187-60-173-142.linharesonline.com.br): query: 187-60-173-142.linharesonline.com.br IN AAAA + (127.0.0.1)
28-Apr-2021 22:05:45.884 client @0x7f38ac0e2830 127.0.0.1#58216 (142.173.60.187.in-addr.arpa): query: 142.173.60.187.in-addr.arpa IN PTR + (127.0.0.1)
28-Apr-2021 22:05:45.885 client @0x7f38ac0e2830 127.0.0.1#56838 (187-60-173-142.linharesonline.com.br): query: 187-60-173-142.linharesonline.com.br IN A + (127.0.0.1)
28-Apr-2021 22:05:46.283 client @0x7f38ac0e2830 127.0.0.1#43031 (187-60-173-142.linharesonline.com.br): query: 187-60-173-142.linharesonline.com.br IN A + (127.0.0.1)
28-Apr-2021 22:05:46.283 client @0x7f38ac0d4090 127.0.0.1#43031 (187-60-173-142.linharesonline.com.br): query: 187-60-173-142.linharesonline.com.br IN AAAA + (127.0.0.1)

28-Apr-2021 22:24:41.183 client @0x7f44c4001180 127.0.0.1#49447 (194.22.218.189.in-addr.arpa): query: 194.22.218.189.in-addr.arpa IN PTR + (127.0.0.1)
28-Apr-2021 22:24:41.184 client @0x7f44c4001180 127.0.0.1#58857 (cablelink-189-218-22-194.hosts.intercable.net): query: cablelink-189-218-22-194.hosts.intercable.net IN A + (127.0.0.1)
28-Apr-2021 22:24:41.721 client @0x7f44c4001180 127.0.0.1#44639 (cablelink-189-218-22-194.hosts.intercable.net): query: cablelink-189-218-22-194.hosts.intercable.net IN A + (127.0.0.1)
28-Apr-2021 22:24:41.721 client @0x7f44dc0e2830 127.0.0.1#44639 (cablelink-189-218-22-194.hosts.intercable.net): query: cablelink-189-218-22-194.hosts.intercable.net IN AAAA + (127.0.0.1)
28-Apr-2021 22:25:05.757 client @0x7f44dc0e2830 127.0.0.1#46586 (194.22.218.189.in-addr.arpa): query: 194.22.218.189.in-addr.arpa IN PTR + (127.0.0.1)
28-Apr-2021 22:25:05.758 client @0x7f44dc0e2830 127.0.0.1#48007 (cablelink-189-218-22-194.hosts.intercable.net): query: cablelink-189-218-22-194.hosts.intercable.net IN A + (127.0.0.1)

Re: CentOS 7 generating Unknown DNS Requests

Posted: 2021/04/28 17:18:07
by TrevorH
No idea whether it's hacked or not but when you do a lookup for a name that is not known by your dns server it has to go out to the root servers to look up there to find out the address of the DNS server that is authoritative for the name you're looking up and then go to that server to look up the name.

Re: CentOS 7 generating Unknown DNS Requests

Posted: 2021/04/28 17:42:45
by srijit92
Yes, I know. But the request is getting generated from the server itself where there is no actual activity on the server. Only one external client is using the DNS server.

How come server is itself generating the requests and that to unknows IPs.

Re: CentOS 7 generating Unknown DNS Requests

Posted: 2021/04/30 11:25:36
by silvio
Hi srijit92,

is this system reachable over the internet?
Do you use some services which does a dns lookup if someone connects?
My first thinking was an dns lookup for a ssh connection so i would have a look in my secure log.

Silvio