LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-09-2013, 08:49 AM   #1
procfs
Member
 
Registered: Jan 2006
Location: Sri Lanka
Posts: 608

Rep: Reputation: 34
PID making DNS query


Hi my DNS server is Redhat and running bind, all for years this been running oka and today we found the dns server is making extensive queries to some random IP's

Is there any way that I can find out which process requesting these DNS queries

Thanks and Regards
 
Old 10-10-2013, 02:02 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by procfs View Post
Hi my DNS server is Redhat and running bind, all for years this been running oka and
Which OS and update version?
Which ISC BIND version?
Does software get updated when updates are released?
Does it run any other (publicly accessible) services?
Does the machine get audited regularly?
Do login records (last, lastb) show anomalous logins?
Do system or daemon logs show anomalous entries?
Does the file system show odd files or binaries?


Quote:
Originally Posted by procfs View Post
today we found the dns server is making extensive queries to some random IP's
Do these IP addresses show up in any logs or login records?
What ports are involved?
How random are these IP addresses?


Quote:
Originally Posted by procfs View Post
Is there any way that I can find out which process requesting these DNS queries
Edge router logging or iptables -j LOG rules (with the -m owner module?) or tcpdump or else netstat or lsof.
 
Old 10-10-2013, 06:28 AM   #3
procfs
Member
 
Registered: Jan 2006
Location: Sri Lanka
Posts: 608

Original Poster
Rep: Reputation: 34
Hi unSpawn, thank you for the reply and please the information you requested

Which OS and update version? - Red Hat Enterprise Linux AS release 4 (Nahant Update 4)
Which ISC BIND version? - BIND 9.2.4
Does software get updated when updates are released? - No
Does it run any other (publicly accessible) services? - This was running an email server but we have decommissioned and supervises are down now
Does the machine get audited regularly? - No
Do login records (last, lastb) show anomalous logins? - Not that I have noticed
Do system or daemon logs show anomalous entries? - messages similar to below in message log are appearing

Oct 9 00:26:45 dn named[16412]: client 173.236.227.39#25345: no more recursive clients: quota reached

Does the file system show odd files or binaries? - No, not that I can see


Do these IP addresses show up in any logs or login records? - in the message log
What ports are involved? - 53
How random are these IP addresses? not sure

Edge router logging or iptables -j LOG rules (with the -m owner module?) or tcpdump or else netstat or lsof.
I have tried some of which you mentioned and failed to identify the cause. We were trouble shooting high bandwidth usage from ISP side using Wire Shark, then only that we found out about 90% of the traffic is related to above mentioned issue.

Thank you and Regards
 
Old 10-10-2013, 11:06 AM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,654

Rep: Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255
One thing you can do is disable recursive queries. This can cause a significant amount of outgoing traffic when it isn't desired, and can be caused by outside connections to the name server.

Most name servers aimed at the internet do not enable recursive queries for this reason. Internal use is a bit different - and recursive queries are useful to offload the recursion from the client. But internal name servers don't put any greater load on the outside connection

What your message indicates is that someone (presumably 173.236.227.39 is not one of yours...) is that someone is banging on your name server possibly trying to find a vulnerability.
 
Old 10-14-2013, 02:27 AM   #5
procfs
Member
 
Registered: Jan 2006
Location: Sri Lanka
Posts: 608

Original Poster
Rep: Reputation: 34
Hi Jpollard, thanks for the reply, your suggestion helped. Is there any way we can trace to who is doing this (I guess it would be impossible since the incoming ips are random.

If this is an internal program (for some mis-configuration or some hacker how might have put)how am I to get about to trace a such a malware.

Thanks and Regards
 
Old 10-14-2013, 08:57 AM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,654

Rep: Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255
The IP numbers given in the reply can identify the host - as far as the NAT router goes. That identifies the ISP. For instance:

Code:
$ nslookup 173.236.227.39
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
39.227.236.173.in-addr.arpa	name = apache2-fritz.john-langdon.dreamhost.com.

Authoritative answers can be found from:
Makes a rough identification. The IP number is supposed to belong to dreamhost.com. (they in turn are supported by verisign).

Handling it gets difficult. One way to to block the IP number (and if a large number of connections from the that network, block the entire 173.236.227.0 network) at the firewall/router that connects to you internet connection.

This can only stop half the traffic - the outgoing side. After being blocked your systems won't see the attempts - but the queries will still be coming, and dropped at the firewall/router (thus still using up some of your bandwidth). To stop any more than that requires cooperation from your ISP. They would be able to block it where the traffic enters their network, thus releasing all of your bandwidth. It doesn't remove the traffic from where it enters their net, but usually they would have a better handle on controlling unacceptable traffic.

If the queries are coming from the normal DNS lookups - this should cut down on the attempts, as when the timeout occurs for a query it should go to the next server in their list - which would quickly end up with a "cannot contact server" error, and query gets dropped. After that the attacker has to start from scratch.

There are several applications (though I don't have references handy - it depends on what your firewall is, sorry) that can monitor the incoming connections, and automatically set such rejects (usefull when it detects a LOT of such queries that generate the reject messages in the logs). This at least allows for a faster response to blocking invalid queries. For single query rejects, I would suggest it them configured to allow something like 5 consecutive tries without a successful query before adding them - prevents blocking simple typographical errors.

You can google for "linux network response tools" and get a list of references. These are for installation on a linux system, so one of them should work for the firewall on your name server (assuming it is a Linux system).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iterative Query DNS and Recursive Query DNS !!!!! jitendra.sharma Linux - Newbie 1 09-05-2013 03:38 AM
forwarding DNS query to another DNS server pedenski Linux - Newbie 6 05-16-2013 09:56 AM
[SOLVED] django: making a query joining two models eantoranz Programming 1 12-23-2011 09:54 PM
Redirect local DNS query to remote DNS server on non standard port? rock_ya_baby Linux - Server 8 04-13-2010 05:31 AM


All times are GMT -5. The time now is 03:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration