On Tue, 2 Aug 2022, Robert Moskowitz wrote:>I just, maybe, figured out why I have been having problems with my CentOS DNS >server with BIND 9.11.4. > > Aug? 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205 (.): view external: query (cache) './A/IN' denied > Aug? 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.216.196#64956 (.): view external: query (cache) './A/IN' denied > Aug? 2 15:47:19 onlo named[6155]: client @0xaa3cad80 64.68.114.141#39466 (.): view external: query (cache) './A/IN' denied > Aug? 2 15:47:19 onlo named[6155]: client @0xaa3cad80 209.197.198.45#13280 (.): view external: query (cache) './A/IN' denied > Aug? 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.202.117#41955 (.): view external: query (cache) './A/IN' denied > Aug? 2 15:47:19 onlo named[6155]: client @0xaa3cad80 62.109.204.22#4406 (.): view external: query (cache) './A/IN' denied > Aug? 2 15:47:49 onlo named[6155]: client @0xa9420720 64.68.104.9#38518 (.): view external: query (cache) './A/IN' denied > Aug? 2 15:47:50 onlo named[6155]: client @0xaa882dc8 114.29.202.117#9584 (.): view external: query (cache) './A/IN' deniedUsually that's someone hoping to use you in a reflection attack, which is successful since UDP can be forged but it hasn't got the volume it might if you answered differently (with a referral). Sometimes it is a policy denial attack, hoping you will block the apparent source thus denying it service. The only way to stop it is for all others to employ BCP 38 which will likely never happen, or for you to stop allowing outside use of your nameserver which means having someone else handle DNS for you (which just seems to stop it, from your perspective). It shouldn't cause problems unless your server is vastly underpowered. What problems are you experiencing? /mark
On 03/08/2022 19:08, Mark Milhollan wrote:> On Tue, 2 Aug 2022, Robert Moskowitz wrote: > >> I just, maybe, figured out why I have been having problems with my >> CentOS DNS server with BIND 9.11.4. >> >> Aug? 2 15:47:19 onlo named[6155]: client @0xaa3cad80 >> 114.29.194.4#11205 (.):? view external: query (cache) './A/IN' denied >> Aug? 2 15:47:19 onlo named[6155]: client @0xaa3cad80 >> 114.29.216.196#64956 (.):? view external: query (cache) './A/IN' denied >> Aug? 2 15:47:19 onlo named[6155]: client @0xaa3cad80 >> 64.68.114.141#39466 (.):? view external: query (cache) './A/IN' denied >> Aug? 2 15:47:19 onlo named[6155]: client @0xaa3cad80 >> 209.197.198.45#13280 (.):? view external: query (cache) './A/IN' denied >> Aug? 2 15:47:19 onlo named[6155]: client @0xaa3cad80 >> 114.29.202.117#41955 (.):? view external: query (cache) './A/IN' denied >> Aug? 2 15:47:19 onlo named[6155]: client @0xaa3cad80 >> 62.109.204.22#4406 (.):? view external: query (cache) './A/IN' denied >> Aug? 2 15:47:49 onlo named[6155]: client @0xa9420720 64.68.104.9#38518 >> (.):? view external: query (cache) './A/IN' denied >> Aug? 2 15:47:50 onlo named[6155]: client @0xaa882dc8 >> 114.29.202.117#9584 (.):? view external: query (cache) './A/IN' denied > > Usually that's someone hoping to use you in a reflection attack, which > is successful since UDP can be forged but it hasn't got the volume it > might if you answered differently (with a referral).? Sometimes it is a > policy denial attack, hoping you will block the apparent source thus > denying it service. > > The only way to stop it is for all others to employ BCP 38 which will > likely never happen, or for you to stop allowing outside use of your > nameserver which means having someone else handle DNS for you (which > just seems to stop it, from your perspective). > > It shouldn't cause problems unless your server is vastly underpowered. > What problems are you experiencing? > >Enabling rate limiting in BIND can help. https://kb.isc.org/docs/aa-00994
On 8/3/22 11:08, Mark Milhollan wrote:> Usually that's someone hoping to use you in a reflection attackDoesn't a reflection attack require the reflecting server to answer queries?? I'd think that the server logging that the query was denied would indicate that it is not vulnerable to that type of abuse.