DNS Calls Blocked by Firewall

krazybob · 03-25-2012, 04:30 PM

I have a Watchguard X8000 Peak firewall (excellent hardware!)

I have call after call to port 53 that are outbound. I switched to OpenDNS and line after line after line now shows me xxx.xxx.xxx.xxx 208.67.222.222 dns/udp 1-Trusted 0-External denial of service attack, drop this packet.

Looking at the actual three servers (out of over 100( only these three servers exhibit this problem. It appears that Webalyzer may be trying to do a hostname lookup but turning this off doesn't appear to be an option as it is with AWStats. Previously I had resolv.conf set for Level 3 4.2.2.1 and 4.2.2.2. My own firewall is block listing me!!!

I have resolv.conf set for

Code:

search priorityonehost.net
nameserver 208.67.222.222
nameserver 207.67.220.220

Each server has a unique name based on the customer but you get the idea.

I don't know if the DNS filter on the Watdchguard X8000 is supposed to be proxied or just a policy.

Any thoughts on what is going on? This began when I switched these servers to Plesk 9.3

Humbly Yours,

Bob

Slackyman · 03-27-2012, 01:16 AM

One fast solution could be to set up DNSs directly on the Watchguard and use the Watchguard as unique DNS, but even if this will solve your issue you'll never know why you were having it!

I look on the Internet and found
http://forums.opendns.com/search.php...nSubmit=Search
It seems that the DNS response from OpenDNS can be interpreted as a port scan, a flood attack or other kind of DoS attack.

krazybob · 03-27-2012, 09:29 AM

Thank you except that the Watchguard is showing me attacking them. Web site are doing reverse lookups, I believe through Webalyzer, for better statistics resolution. I don't know how to turn that off o see if I am correct.

The Watchguard X800 Peak is not a DNS server. It is a router/top-end switch. I have 100 servers behind it and it has no way of handling DNS on that level. Only three servers are doing this and I cannot see what is different except that they are Plesk 9.3.

anomie · 03-27-2012, 10:03 AM

This can be pursued/corrected on any of several levels, but the easiest is probably to just turn off webalizer's rDNS lookups. A cursory look at this webalizer manpage suggests that it may be possible to do so by omitting the DNSCache directive, and setting the DNSChildren directive to 0.

krazybob · 03-27-2012, 10:37 PM

Quote:

Originally Posted by anomie

This can be pursued/corrected on any of several levels, but the easiest is probably to just turn off webalizer's rDNS lookups. A cursory look at this webalizer manpage suggests that it may be possible to do so by omitting the DNSCache directive, and setting the DNSChildren directive to 0.

Thank you. Plesk compiles everything so I'll have to dig a little deeper. I suspected that was th4e solution. With AWStats its and easy fix but if I turns it on the server load goes up considerably during nightly CRONs. Thank you again.