Dear All, I am sorry for posting this query here but hope someone can help me out i have been running Centos 5 as my prinamry DNS n Mail server with bind 9.2 every thing works fine but in my/var/messages log i see continuosly the below meesages Feb 22 09:14:46 kmdns1 named[2087]: client 62.109.4.89#17222: query (cache) ''./NS/IN'' denied Feb 22 09:14:46 kmdns1 named[2087]: client 62.109.4.89#26398: query (cache) ''./NS/IN'' denied Feb 22 09:14:51 kmdns1 named[2087]: client 62.109.4.89#65326: query (cache) ''./NS/IN'' denied Feb 22 09:14:52 kmdns1 named[2087]: client 62.109.4.89#59870: query (cache) ''./NS/IN'' denied now in my firewall i tryied to block this ip but the messages dont stop i also upgraded bind to version bind-9.3.4-6.0.3.P1.el5_2 but no avail the problem still there i jus like to know whts this problem and how could i solve it is there a problem with my DNS server thnks and regards apprecite your kind help fabian -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
> Feb 22 09:14:52 kmdns1 named[2087]: client 62.109.4.89#59870: query > (cache) ''./NS/IN'' denied > > now in my firewall i tryied to block this ip but the messages > dont stop > > i also upgraded bind to version bind-9.3.4-6.0.3.P1.el5_2 but > no avail the problem still there > > > i jus like to know whts this problem and how could i solve it > > is there a problem with my DNS server > > thnks and regards > > apprecite your kind help > > > fabianfabian, you might try something like the bad-guys acl i setup a long time ago in named.conf change the ips as you see fit // Default named.conf generated by install of bind-9.2.4-2 // // r.initials August 29 2005 // acl "bad-guys" { 201.114.231.0/24; 201.114.236.0/24; }; logging { category lame-servers { null; }; }; options { version "Bind"; directory "/var/named"; // working directory listen-on { 127.0.0.1; redactedx.y.z.a; }; listen-on-v6 { none; }; allow-transfer { redactedx.y.z.a; redactedx.y.z.b;}; blackhole { "bad-guys"; }; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; // pid-file "named.pid"; // Put pid file in working dir allow-query { any; }; // This is the default recursion yes; // Do provide recursive service ???? or not??? }; include "/etc/rndc.key";
Dear Robert, Really apprecite your quick reply and thanks for the same.. it worked beautifully.. the badguys acl now jus for my information if u can help me by the way i had send a mail to the owners of the ips and they replied to me saying that they had a DDOS attack on thier server n its been stop 5 days ago . now i wd like to know if it was really stopped wht were the messages stating was my server querying their server or their server quering mine since a rule in my firewall which blocked the below IP did not help apprecite ur kind help the messages in my logs are Feb 22 21:45:36 kmdns1 named[2087]: client 62.109.4.89#24308: query (cache) ''./NS/IN'' denied Feb 22 21:45:37 kmdns1 named[2087]: client 62.109.4.89#31958: query (cache) ''./NS/IN'' denied Feb 22 21:45:38 kmdns1 named[2087]: client 62.109.4.89#29069: query (cache) ''./NS/IN'' denied Feb 22 21:45:38 kmdns1 named[2087]: client 62.109.4.89#35868: query (cache) ''./NS/IN'' denied Feb 22 21:45:39 kmdns1 named[2087]: client 62.109.4.89#26792: query (cache) ''./NS/IN'' denied but moment i made the changes as sugessted by u in my named.conf the messages stopped perfectly Regards Fabian> >> Feb 22 09:14:52 kmdns1 named[2087]: client 62.109.4.89#59870: query >> (cache) ''./NS/IN'' denied >> >> now in my firewall i tryied to block this ip but the messages >> dont stop >> >> i also upgraded bind to version bind-9.3.4-6.0.3.P1.el5_2 but >> no avail the problem still there >> >> >> i jus like to know whts this problem and how could i solve it >> >> is there a problem with my DNS server >> >> thnks and regards >> >> apprecite your kind help >> >> >> fabian > > fabian, > > you might try something like the bad-guys acl i setup a long time ago in > named.conf > > change the ips as you see fit > > > > // Default named.conf generated by install of bind-9.2.4-2 > // > // r.initials August 29 2005 > // > acl "bad-guys" { > 201.114.231.0/24; > 201.114.236.0/24; > }; > logging { > category lame-servers { null; }; > }; > options { > version "Bind"; > directory "/var/named"; // working directory > listen-on { 127.0.0.1; redactedx.y.z.a; }; > listen-on-v6 { none; }; > allow-transfer { redactedx.y.z.a; redactedx.y.z.b;}; > blackhole { "bad-guys"; }; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > // pid-file "named.pid"; // Put pid file in working > dir > allow-query { any; }; // This is the default > recursion yes; // Do provide recursive service ???? or not??? > }; > include "/etc/rndc.key"; > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. >-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
"fabian dacunha" <fabian at baladia.gov.kw> wrote:> Dear All, > > I am sorry for posting this query here but hope someone can help me out > i have been running Centos 5 as my prinamry DNS n Mail server with bind 9.2 > > every thing works fine but in my/var/messages log i see continuosly the > below meesages > > Feb 22 09:14:46 kmdns1 named[2087]: client 62.109.4.89#17222: query > (cache) ''./NS/IN'' denied > Feb 22 09:14:46 kmdns1 named[2087]: client 62.109.4.89#26398: query > (cache) ''./NS/IN'' denied > Feb 22 09:14:51 kmdns1 named[2087]: client 62.109.4.89#65326: query > (cache) ''./NS/IN'' denied > Feb 22 09:14:52 kmdns1 named[2087]: client 62.109.4.89#59870: query > (cache) ''./NS/IN'' denied > > now in my firewall i tryied to block this ip but the messages dont stop > > i also upgraded bind to version bind-9.3.4-6.0.3.P1.el5_2 but no avail > the problem still there > > > i jus like to know whts this problem and how could i solve it > > is there a problem with my DNS server > > thnks and regards > > apprecite your kind help > > > fabian >I run a very small, personal presence on the internet (only a single web site, e-mail, etc. plus DNS for my own stuff) so this might not work if you have lots of sites or there are legitimate reasons why the same source IP address would hit your DNS with multiple, valid queries in a very short period. Typically, once a source IP has queried a DNS, the result is cached for the time to live (TTL) of the resulting record and the query should not normally be repeated. Given this, I added the following rules to my firewall: ... # Block cache poisoning attacks # Drop repeated DNS requests -A RH-Firewall-1-INPUT -p udp -m udp -m recent -i eth0 --dport 53 --update \ --seconds 660 --hitcount 7 --name DNSTHROTTLE --rsource -j DROP -A RH-Firewall-1-INPUT -p udp -m udp -m recent -i eth0 --dport 53 -j ACCEPT \ --set --name DNSTHROTTLE --rsource ... Note that eth0 is my external NIC so these rules only fire for DNS requests that are not from my local network. I came up with seven queries in eleven minutes was a reasonable sign of a cache poisoning attack. Your mileage may very. These two rules replaced about 30 IPs in my blacklist and are completely automatic. The funny this that a lot of the brute force cache poisoning attempts just keep banging away so the source IP stays on the blacklist. Every once in a while I''ll see a new IP address hit seven attempts and then the blacklist rule kicks in and they''re never heard from again. Cheers, Dave -- Politics, n. Strife of interests masquerading as a contest of principles. -- Ambrose Bierce
fabian dacunha wrote:> Dear Robert, > > Really apprecite your quick reply and thanks for the same.. > > it worked beautifully.. > the badguys acl > > now jus for my information if u can help me > > by the way i had send a mail to the owners of the ips and they replied to > me saying that they had a DDOS attack on thier server n its been stop 5 > days ago . > > now i wd like to know if it was really stopped wht were the messages stating >A request to look up a ns record> was my server querying their server > or their server quering mine >You got a udp packet from who knows where.> since a rule in my firewall which blocked the below IP did not help > >Huh? Then maybe there is something wrong with the rule. I basically just drop such packets on the floor.> apprecite ur kind help > > the messages in my logs are > > Feb 22 21:45:36 kmdns1 named[2087]: client 62.109.4.89#24308: query > (cache) ''./NS/IN'' denied > Feb 22 21:45:37 kmdns1 named[2087]: client 62.109.4.89#31958: query > (cache) ''./NS/IN'' denied > Feb 22 21:45:38 kmdns1 named[2087]: client 62.109.4.89#29069: query > (cache) ''./NS/IN'' denied > Feb 22 21:45:38 kmdns1 named[2087]: client 62.109.4.89#35868: query > (cache) ''./NS/IN'' denied > Feb 22 21:45:39 kmdns1 named[2087]: client 62.109.4.89#26792: query > (cache) ''./NS/IN'' denied > > but moment i made the changes as sugessted by u in my named.conf the > messages stopped perfectly >This just shows that your authoritative bind server was configured correctly. Congratulations!