Malware DNS A record points to my ip address

domain-name-system bind named-conf

I've used BIND for about ten years but am by no means an expert, at all. Having said that, I just wiped my VPS due to a crytomining malware infection.

While I was getting BIND set back up I noticed that a domain (TLD) I do not own was coming up as being hosted by my IP address. Further inspection shows the A record for this domain points to my IP.

I can understand there would be nothing to prevent someone from setting an A record to point wherever. But is there nothing I can do to block this? It seems like this is probably something very basic that I'm just missing, but am having trouble in troubleshooting it. Most of my searches have been fruitless.

Recursion is off.

Here's the options from named.conf

options {
    listen-on port 53       { any; };
    listen-on-v6 port 53    { any; };
    directory               "/var/named";
    dump-file               "/var/named/data/cache_dump.db";
    statistics-file         "/var/named/data/named_stats.txt";
    memstatistics-file      "/var/named/data/named_mem_stats.txt";
    allow-query             { any; };
    allow-transfer          { none; };
    recursion               no;
    dnssec-enable           yes;
    dnssec-validation       yes;
    bindkeys-file           "/etc/named.iscdlv.key";
    managed-keys-directory  "/var/named/dynamic";
    pid-file                "/run/named/named.pid";
    session-keyfile         "/run/named/session.key";
};

Solution 1:

You can't change someone else's domain records.

However...

If the other domain is actually the domain responsible for serving malware, you can contact the abuse contact at their DNS provider and their domain registrar, if different, to report the domain as a malware source (and include evidence thereof). These providers may then be able to do something, such as temporarily or permanently suspending the domain.

You can also attempt to get a new IP address from your own service provider.

Solution 2:

There are two things to consider:

  1. Someone has an A record pointing to your IP address — there is nothing you can do about that.
  2. This A record in itself is not a problem. Problems (might) begin when this A record is used to send traffic towards your host — do you have an idea what kind of traffic it is? For example, if it's mostly HTTP(S) traffic you could modify your default website to provide an explanation of the incorrect DNS record to end users that might end up on your website due to the incorrect A record.

You can also analyze the source IP addresses and block them if they come from a country you do not do business with. But I'm never a fan of blocking IP addresses or address ranges.

Related

What is Load Balancer Warmup?
How to make `clamdscan` exclude folders and only log `--infected`?
Ubuntu Server with systemd - how to get a backtrace or coredump?
Hide subdomains from scan tools
Why doesn't libvirt cooperate with iptables on fedora 32
nginx: combine Expires and Cache-Control: immutable headers
Server Uptime Reporting and Tracking
Free hex file viewer [closed]
Account lockout
What inconsistencies should I expect between WAMP and LAMP stacks? [closed]
Should I install antivirus in Windows 7 RC XP Mode?
Google Contacts on IP phones via asterisk PBX