My DNS server running RHEL 6.6 is actively sending unsolicited DNS responses to a couple of IP's. By unsolicited I mean that there is no incoming request from the external IP, the DNS server seems to want to talk to this external host for some reason on its own and I cant figure out why. Netstat shows the outbound connections tied to the named process. tcpdump confirms these are mostly outbound. They look like this: (the hostnames at the end are whats in the actual tcpdump)
104115 5.888666 <DNS server source IP> <dest IP> DNS 80 Standard query 0xfc38 A chhveu.x99moyu.net
There are tons of these: Here is another example:
104012 5.8884459 <DNS server source IP> <dest IP> DNS 106 Standard query 0x688b MX 3636.3335.3338.3737.80h423333324d.host.com
Again, tons of these.
I have been able to get this under control by using iptables. However the packet counters are increasing at a rapid pace so I know the named service is still wanting to talk to this IP. Another strange thing I noticed is after putting the iptables rule in place. I blocked the IP using the INPUT chain first, and continued to see traffic. Then I added the IP to the OUTPUT chain, and the incoming request seemed to immediately dry up, while the outbound request keep adding up. So I fear the incoming request were actually being produced by the outgoing request. Here is what packet counters look like in iptables:
Input Chain:
4 292 DROP all -- any any X.X.X.X/24 anywhere
Output chain:
41174 4514K DROP all -- any any anywhere x.x.x.x/24
Could this systeme be compromised and if so, is there anything I can do to remediate it?
