LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 02-13-2013, 12:33 PM   #1
grob115
Member
 
Registered: Oct 2005
Posts: 528

Rep: Reputation: 32
Non stop DNS queries


Hi, for some reason my BIND server is getting hit by many queries that are completely non-related to my domain. I'm unable to understand why this is happening. Anyone can provide some pointers?

/var/log/messages
Code:
Feb 13 09:28:46 backup named[21729]: client 1.2.3.4#25345: query (cache) 'isc.org/ANY/IN' denied
Feb 13 09:28:46 backup named[21729]: client 5.6.7.8#55695: query (cache) './ANY/IN' denied
Feb 13 09:28:46 backup last message repeated 14 times
Feb 13 09:28:47 backup named[21729]: client 9.10.11.12#37689: query (cache) './ANY/IN' denied
Feb 13 09:28:47 backup last message repeated 14 times
Feb 13 09:28:47 backup named[21729]: client 9.10.11.12#31878: query (cache) './ANY/IN' denied
Feb 13 09:28:47 backup last message repeated 14 times
Feb 13 09:28:47 backup named[21729]: client 9.10.11.12#39948: query (cache) './ANY/IN' denied
Feb 13 09:28:47 backup last message repeated 7 times
Feb 13 09:28:47 backup named[21729]: client 5.6.7.8#40223: query (cache) './ANY/IN' denied
Feb 13 09:28:47 backup last message repeated 7 times
Feb 13 09:28:48 backup named[21729]: client 13.14.15.16#25345: query (cache) 'isc.org/ANY/IN' denied
Feb 13 09:28:48 backup named[21729]: client 5.6.7.8#62566: query (cache) './ANY/IN' denied
Feb 13 09:28:48 backup last message repeated 14 times
Feb 13 09:28:48 backup named[21729]: client 9.10.11.12#33436: query (cache) './ANY/IN' denied
Feb 13 09:28:48 backup last message repeated 14 times
Feb 13 09:28:48 backup named[21729]: client 9.10.11.12#59650: query (cache) './ANY/IN' denied
Feb 13 09:28:48 backup last message repeated 14 times
Feb 13 09:28:48 backup named[21729]: client 1.2.3.4#25345: query (cache) 'isc.org/ANY/IN' denied
Feb 13 09:28:49 backup named[21729]: client 9.10.11.12#35563: query (cache) './ANY/IN' denied
Feb 13 09:28:49 backup last message repeated 14 times
Feb 13 09:28:49 backup named[21729]: client 5.6.7.8#50517: query (cache) './ANY/IN' denied
Feb 13 09:28:49 backup last message repeated 14 times
Feb 13 09:28:50 backup named[21729]: client 9.10.11.12#5538: query (cache) './ANY/IN' denied
Feb 13 09:28:50 backup last message repeated 14 times
Feb 13 09:28:50 backup named[21729]: client 9.10.11.12#18361: query (cache) './ANY/IN' denied
Feb 13 09:28:50 backup last message repeated 6 times
Feb 13 09:28:50 backup named[21729]: client 13.14.15.16#25345: query (cache) 'isc.org/ANY/IN' denied
Feb 13 09:28:50 backup named[21729]: client 9.10.11.12#41581: query (cache) './ANY/IN' denied
Feb 13 09:28:50 backup last message repeated 14 times
Feb 13 09:28:51 backup named[21729]: client 1.2.3.4#25345: query (cache) 'isc.org/ANY/IN' denied
Feb 13 09:28:51 backup named[21729]: client 9.10.11.12#43907: query (cache) './ANY/IN' denied
So I ran the following command to get some insights on how many of these I'm getting.
Code:
rndc stats
named_stats.txt
Code:
+++ Statistics Dump +++ (1360776237)
success 25
referral 0
nxrrset 16
nxdomain 0
recursion 0
failure 30499
--- Statistics Dump --- (1360776237)
+++ Statistics Dump +++ (1360776393)
success 30
referral 0
nxrrset 19
nxdomain 1
recursion 0
failure 39305
--- Statistics Dump --- (1360776393)
 
Old 02-13-2013, 01:38 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,777
Blog Entries: 54

Rep: Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977
See http://www.linuxquestions.org/questi...attack-935994/ and ensure you only expose your DNS to World if you really have to, ensure you only allow recursion for trusted networks and rate limit queries?
 
Old 02-13-2013, 02:11 PM   #3
grob115
Member
 
Registered: Oct 2005
Posts: 528

Original Poster
Rep: Reputation: 32
Hi, thanks for the link. Interesting they are also having queries related to "isc.org". I can't tell, by looking at my logs, whether they are coming from or going to "isc.org" however. Any idea?

As for recursion, I have turned it off and it's still coming through. I have the following settings for the BIND server.
Code:
allow-recursion {
        localnets;
};

allow-query {
        any;
};

I think I'm under a DDoS attack on my DNS. Not sure how to tell whether I'm being used to amplify the DDoS DNS attack or I'm the actual target. I have 1400 IPs doing queries on my DNS servers since this started. Not everyone are attacking however as some are legit. But at least the top 102 of these 1400 IPs are hitting over 1000 times by now. The queries are coming in at about 388k/hr.

Last edited by grob115; 02-13-2013 at 02:19 PM.
 
Old 02-13-2013, 06:18 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,777
Blog Entries: 54

Rep: Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977
If you read the external link in the thread I linked to you see you're not under attack. Your bandwidth is used to target others: it's a reflection attack. So you're not the "victim" but because your NS allow unrestricted recursion you're "an accomplice".
- Please confirm you have a distinct need to expose DNS to World: in other words that you run the authoritative NS for one or more domains.
- ACL name "localnets" suggests you're serving both internal clients and external authoritative requests. Please confirm you have split out instances into a caching NS allowing recursion only for LAN / company range clients and a separate publicly accessible authoritative NS denying any recursion.
- See http://www.team-cymru.org/Services/Resolvers/ and check your named.conf against http://www.cymru.com/Documents/secur...-template.html and http://www.team-cymru.org/Services/R...tructions.html.
- Please also see rate limiting: http://ss.vix.com/~vixie/isc-tn-2012-1.txt.

* If unsure attach your named.conf but only after having implementing and tested CYMRU advice.
 
Old 02-19-2013, 10:46 AM   #5
grob115
Member
 
Registered: Oct 2005
Posts: 528

Original Poster
Rep: Reputation: 32
Hi, thanks. Yes the DNS servers are authoritative for the domain name they serve. And yes recursion has been turned off entirely. There's no concept of internal vs external however. Just no recursion period. All the incoming bogus DNS queries not targeting our domain are blocked off before hitting the DNS servers.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
BIND - reverse dns queries only working locally, forward dns works fine. SloS13 Linux - Networking 3 08-25-2011 01:46 PM
How to forward all DNS queries through ISP DNS server ? jcdc Linux - Networking 4 07-06-2011 12:28 AM
Stop all outbound DNS queries? bax Linux - Server 2 11-07-2010 08:43 PM
DNS issues, all illegitimate DNS queries resolve to me!??! fast-reflexes Linux - Networking 3 08-17-2010 07:38 AM
DNS Queries lcplutz@wincor Linux - Networking 2 06-04-2004 07:59 AM


All times are GMT -5. The time now is 12:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration