Non stop DNS queries

grob115 · 02-13-2013, 11:33 AM

Hi, for some reason my BIND server is getting hit by many queries that are completely non-related to my domain. I'm unable to understand why this is happening. Anyone can provide some pointers?

/var/log/messages

Code:

Feb 13 09:28:46 backup named[21729]: client 1.2.3.4#25345: query (cache) 'isc.org/ANY/IN' denied
Feb 13 09:28:46 backup named[21729]: client 5.6.7.8#55695: query (cache) './ANY/IN' denied
Feb 13 09:28:46 backup last message repeated 14 times
Feb 13 09:28:47 backup named[21729]: client 9.10.11.12#37689: query (cache) './ANY/IN' denied
Feb 13 09:28:47 backup last message repeated 14 times
Feb 13 09:28:47 backup named[21729]: client 9.10.11.12#31878: query (cache) './ANY/IN' denied
Feb 13 09:28:47 backup last message repeated 14 times
Feb 13 09:28:47 backup named[21729]: client 9.10.11.12#39948: query (cache) './ANY/IN' denied
Feb 13 09:28:47 backup last message repeated 7 times
Feb 13 09:28:47 backup named[21729]: client 5.6.7.8#40223: query (cache) './ANY/IN' denied
Feb 13 09:28:47 backup last message repeated 7 times
Feb 13 09:28:48 backup named[21729]: client 13.14.15.16#25345: query (cache) 'isc.org/ANY/IN' denied
Feb 13 09:28:48 backup named[21729]: client 5.6.7.8#62566: query (cache) './ANY/IN' denied
Feb 13 09:28:48 backup last message repeated 14 times
Feb 13 09:28:48 backup named[21729]: client 9.10.11.12#33436: query (cache) './ANY/IN' denied
Feb 13 09:28:48 backup last message repeated 14 times
Feb 13 09:28:48 backup named[21729]: client 9.10.11.12#59650: query (cache) './ANY/IN' denied
Feb 13 09:28:48 backup last message repeated 14 times
Feb 13 09:28:48 backup named[21729]: client 1.2.3.4#25345: query (cache) 'isc.org/ANY/IN' denied
Feb 13 09:28:49 backup named[21729]: client 9.10.11.12#35563: query (cache) './ANY/IN' denied
Feb 13 09:28:49 backup last message repeated 14 times
Feb 13 09:28:49 backup named[21729]: client 5.6.7.8#50517: query (cache) './ANY/IN' denied
Feb 13 09:28:49 backup last message repeated 14 times
Feb 13 09:28:50 backup named[21729]: client 9.10.11.12#5538: query (cache) './ANY/IN' denied
Feb 13 09:28:50 backup last message repeated 14 times
Feb 13 09:28:50 backup named[21729]: client 9.10.11.12#18361: query (cache) './ANY/IN' denied
Feb 13 09:28:50 backup last message repeated 6 times
Feb 13 09:28:50 backup named[21729]: client 13.14.15.16#25345: query (cache) 'isc.org/ANY/IN' denied
Feb 13 09:28:50 backup named[21729]: client 9.10.11.12#41581: query (cache) './ANY/IN' denied
Feb 13 09:28:50 backup last message repeated 14 times
Feb 13 09:28:51 backup named[21729]: client 1.2.3.4#25345: query (cache) 'isc.org/ANY/IN' denied
Feb 13 09:28:51 backup named[21729]: client 9.10.11.12#43907: query (cache) './ANY/IN' denied

So I ran the following command to get some insights on how many of these I'm getting.

Code:

rndc stats

named_stats.txt

Code:

+++ Statistics Dump +++ (1360776237)
success 25
referral 0
nxrrset 16
nxdomain 0
recursion 0
failure 30499
--- Statistics Dump --- (1360776237)
+++ Statistics Dump +++ (1360776393)
success 30
referral 0
nxrrset 19
nxdomain 1
recursion 0
failure 39305
--- Statistics Dump --- (1360776393)

unSpawn · 02-13-2013, 12:38 PM

See http://www.linuxquestions.org/questi...attack-935994/ and ensure you only expose your DNS to World if you really have to, ensure you only allow recursion for trusted networks and rate limit queries?

grob115 · 02-13-2013, 01:11 PM

Hi, thanks for the link. Interesting they are also having queries related to "isc.org". I can't tell, by looking at my logs, whether they are coming from or going to "isc.org" however. Any idea?

As for recursion, I have turned it off and it's still coming through. I have the following settings for the BIND server.

Code:

allow-recursion {
        localnets;
};

allow-query {
        any;
};

I think I'm under a DDoS attack on my DNS. Not sure how to tell whether I'm being used to amplify the DDoS DNS attack or I'm the actual target. I have 1400 IPs doing queries on my DNS servers since this started. Not everyone are attacking however as some are legit. But at least the top 102 of these 1400 IPs are hitting over 1000 times by now. The queries are coming in at about 388k/hr.

unSpawn · 02-13-2013, 05:18 PM

If you read the external link in the thread I linked to you see you're not under attack. Your bandwidth is used to target others: it's a reflection attack. So you're not the "victim" but because your NS allow unrestricted recursion you're "an accomplice".
- Please confirm you have a distinct need to expose DNS to World: in other words that you run the authoritative NS for one or more domains.
- ACL name "localnets" suggests you're serving both internal clients and external authoritative requests. Please confirm you have split out instances into a caching NS allowing recursion only for LAN / company range clients and a separate publicly accessible authoritative NS denying any recursion.
- See http://www.team-cymru.org/Services/Resolvers/ and check your named.conf against http://www.cymru.com/Documents/secur...-template.html and http://www.team-cymru.org/Services/R...tructions.html.
- Please also see rate limiting: http://ss.vix.com/~vixie/isc-tn-2012-1.txt.

* If unsure attach your named.conf but only after having implementing and tested CYMRU advice.

grob115 · 02-19-2013, 09:46 AM

Hi, thanks. Yes the DNS servers are authoritative for the domain name they serve. And yes recursion has been turned off entirely. There's no concept of internal vs external however. Just no recursion period. All the incoming bogus DNS queries not targeting our domain are blocked off before hitting the DNS servers.