Suspicious DNS replies on 0.centos.pool.ntp.org query

Support for security such as Firewalls and securing linux
Post Reply
mokaz
Posts: 3
Joined: 2020/02/12 08:52:38

Suspicious DNS replies on 0.centos.pool.ntp.org query

Post by mokaz » 2020/02/12 09:03:54

Hi there all,

Crawling my logs, i'e found some strange replies on DNS queries towards X.centos.pool.ntp.org.
Here is one example:

Date/Time02-05 08:34
Device Time2020-02-05 08:34:04
Domain Name0.centos.pool.ntp.org
Event Time1580888044259527691
IP Address185.220.101.20,91.202.42.83,185.220.101.0,134.102.201.104
Query ClassIN
Query TypeA
Query Type Value1
Time Stamp2020-02-05 08:34:08
Time Zone+0100
Transaction ID29530

I've matched pretty all my centos boxes getting the same answers (ip addresses in return to the query) between 05.02.2020 and 07.02.2020.
The issue is that the 185.220.101.xx IPs returned are Tor.Exit.Nodes.. Which i thought was weird.

If anyone could comment or acknowledge any issues DNS wise?

Thanks,
Regards,
Mokaz

User avatar
TrevorH
Forum Moderator
Posts: 27727
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Suspicious DNS replies on 0.centos.pool.ntp.org query

Post by TrevorH » 2020/02/12 10:19:36

I queried this with the infra guys and they tell me that this is entirely controlled by the ntp.org people and has nothing to do with CentOS. I believe we tell them that we need a pool, then they just create it and assign it ip addresses that they believe are correct and proper ntp servers.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

mokaz
Posts: 3
Joined: 2020/02/12 08:52:38

Re: Suspicious DNS replies on 0.centos.pool.ntp.org query

Post by mokaz » 2020/02/13 10:37:35

Hey Trevor, thanks for your time on this, appreciated.
I'll try to figure a little further @ntp.org because returning this (https://ip-46.com/185.220.101.20) as a centos pool member appears strange to me.

Thanks,
Regards,
m

User avatar
TrevorH
Forum Moderator
Posts: 27727
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Suspicious DNS replies on 0.centos.pool.ntp.org query

Post by TrevorH » 2020/02/13 10:48:42

It does sound strange to me too but in reality, the only thing that CentOS has to do with ntp pools is that we tell them that we need one and they do everything else. The ip addresses assigned to the pool and the DNS entries are all controlled by the ntp people.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

mokaz
Posts: 3
Joined: 2020/02/12 08:52:38

Re: Suspicious DNS replies on 0.centos.pool.ntp.org query

Post by mokaz » 2020/02/13 14:51:54

Well, i feel slightly less lonely now =)
https://community.ntppool.org/t/ntf-rec ... -pool/1557

According to the linked post;

We are finding that some IP addresses that used to be TOR activities are being reused in the NTP.org 2 pool. This is really bad and we are moving all NTP away from NTP.org 2 as a result.

Questionable i'd say.

Thanks again,
Kind regards,
Mokaz

Post Reply

Return to “CentOS 8 - Security Support”