An ill-informed and a rather late look at dns security logs

teamamericaSome months ago i switched on dns logging and promptly forgot about it as fail2ban (my blog) was using it and was doing stuff to my satisfaction with the stuff.

Months later and i still have that data and 13000+ events logged, and in my quick and dirty attempts at geolocating (my blog) i wanted to know what troublesome hosts where and from which my first attempts where poor due to the horrid log format used but it appears from some back of an enveloped grep’s that America was in the top percentile of probers.

Team America fuck yeah – alas no .kp (north korea) but i suppose after they supposedly hacked Sony nothing else is of interest to them on the internet

malletMost attempts where under 5 events, thirteen ip’s had counts of 100 events (including a tribe of native american’s reservation ip range) and over, with two 500+ so i found 15 ip addresses that persistently probed and action was taken with our mallet of choice.   Mallets are cool.

We can excuse some issues from some hosts but clearly constant probing from some means they do not really seek an honest response from the zoo’s dns servers and do not look at the results so they are bad actors despite there ‘security’ credentials.

Since this has been posted i had some fun with python (my blog)  and i can now make spreadsheet importable data which is where bash scripting failed me,  so once a week the computer sends me a report where i will add to the fifteen still blocked and i doubt those spotted as persistent abusers will ever be removed.

So keep probing.

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s