Why Windows Server sent dns query to Russian Network
Posted on 2010-09-09
I have a pfsense Firewall with snort installed,
I see this kind of log :
7 2 UDP ET RBN Known Russian Business Network IP UDP (238) Misc Attack 192.168.1.67 34358 -> 18.104.22.168 53 1:2406475:193 09/09-12:19:02
8 2 UDP ET RBN Known Russian Business Network IP UDP (237) Misc Attack 192.168.1.7 1068 -> 22.214.171.124 53 1:2406473:193 09/09-12:18:52
9 2 UDP ET RBN Known Russian Business Network IP UDP (238) Misc Attack 192.168.1.7 1068 -> 126.96.36.199 53 1:2406475:193 09/09-12:18:48
10 2 UDP ET RBN Known Russian Business Network IP UDP (237) Misc Attack 192.168.1.67 49339 -> 188.8.131.52 53 1:2406473:193 09/09-12:18:42
let me give a idea how my Dns server setup
All client computer - > SBS 2003 -> Linux Dns
so SBS 2003(192.168.1.7) getting all dns query from client computer, then its forward all to linux dns server(192.168.1.67)
Hence you see 2 log for each dns query .
anyway : by looking at log its like, SBS it self sending those dns query to those IP
so i installed wire-shark , look at udp packet
yes, Server it self sending those Dns query ..
Now i am surprised why ?
initially i thought, server could be infected. but then i looked at my different network , Same setting. and there i installed brand new SBS 2008, and i saw snort log, it has same kind log, ( which made me think that my server is not infected )
so its looks like to me.
windows server has it self to sent some random query to those ips ...
its hear funny to me but its my understanding
now can any one please give me some idea what it could be ???
or how can i get more information on this ???