Suspicious DNS replies on 0.centos.pool.ntp.org query
Posted: 2020/02/12 09:03:54
Hi there all,
Crawling my logs, i'e found some strange replies on DNS queries towards X.centos.pool.ntp.org.
Here is one example:
Date/Time02-05 08:34
Device Time2020-02-05 08:34:04
Domain Name0.centos.pool.ntp.org
Event Time1580888044259527691
IP Address185.220.101.20,91.202.42.83,185.220.101.0,134.102.201.104
Query ClassIN
Query TypeA
Query Type Value1
Time Stamp2020-02-05 08:34:08
Time Zone+0100
Transaction ID29530
I've matched pretty all my centos boxes getting the same answers (ip addresses in return to the query) between 05.02.2020 and 07.02.2020.
The issue is that the 185.220.101.xx IPs returned are Tor.Exit.Nodes.. Which i thought was weird.
If anyone could comment or acknowledge any issues DNS wise?
Thanks,
Regards,
Mokaz
Crawling my logs, i'e found some strange replies on DNS queries towards X.centos.pool.ntp.org.
Here is one example:
Date/Time02-05 08:34
Device Time2020-02-05 08:34:04
Domain Name0.centos.pool.ntp.org
Event Time1580888044259527691
IP Address185.220.101.20,91.202.42.83,185.220.101.0,134.102.201.104
Query ClassIN
Query TypeA
Query Type Value1
Time Stamp2020-02-05 08:34:08
Time Zone+0100
Transaction ID29530
I've matched pretty all my centos boxes getting the same answers (ip addresses in return to the query) between 05.02.2020 and 07.02.2020.
The issue is that the 185.220.101.xx IPs returned are Tor.Exit.Nodes.. Which i thought was weird.
If anyone could comment or acknowledge any issues DNS wise?
Thanks,
Regards,
Mokaz