LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   DNS Question (https://www.linuxquestions.org/questions/linux-server-73/dns-question-4175539547/)

jonnybinthemix 04-13-2015 04:17 AM
DNS Question
 
Hey Chap,

Hope you're all well and had a cracking Easter etc.

I have a quick question, I think it's nothing to worry about but I'd like to ask for some advice if I may.

I have recently built a couple of Bind 9 DNS Servers to replace our Windows public nameservers. I'm in the final stages of testing and everything is looking good.. however this morning I took a look in /var/log/messages and discovered the following:

Code:
Apr 13 09:14:03 NPLNX-ANS0 named[2747]: client 94.195.230.116#53487: update 'bathspa.ac.uk/IN' denied
Apr 13 09:14:47 NPLNX-ANS0 named[2747]: client 87.112.1.11#62739: update 'bathspa.ac.uk/IN' denied
Apr 13 09:14:47 NPLNX-ANS0 named[2747]: client 87.112.1.11#62741: update 'bathspa.ac.uk/IN' denied
Apr 13 09:17:01 NPLNX-ANS0 named[2747]: client 85.211.191.43#61096: update 'bathspa.ac.uk/IN' denied
Apr 13 09:18:21 NPLNX-ANS0 named[2747]: client 195.246.108.107#48039: update 'bathspa.ac.uk/IN' denied
Apr 13 09:23:08 NPLNX-ANS0 named[2747]: client 192.168.247.127#65425: update 'bathspa.ac.uk/IN' denied
Apr 13 09:24:48 NPLNX-ANS0 named[2747]: client 87.112.1.11#62796: update 'bathspa.ac.uk/IN' denied
Apr 13 09:27:02 NPLNX-ANS0 named[2747]: client 85.211.191.43#50891: update 'bathspa.ac.uk/IN' denied
Apr 13 09:28:08 NPLNX-ANS0 named[2747]: client 192.168.247.127#59315: update 'bathspa.ac.uk/IN' denied
Apr 13 09:29:48 NPLNX-ANS0 named[2747]: client 87.112.1.11#62833: update 'bathspa.ac.uk/IN' denied
Apr 13 09:32:02 NPLNX-ANS0 named[2747]: client 85.211.191.43#53214: update 'bathspa.ac.uk/IN' denied
Apr 13 09:32:44 NPLNX-ANS0 named[2747]: client 78.147.15.229#58450: update 'bathspa.ac.uk/IN' denied
Apr 13 09:32:44 NPLNX-ANS0 named[2747]: client 78.147.15.229#60869: update 'bathspa.ac.uk/IN' denied
Apr 13 09:32:44 NPLNX-ANS0 named[2747]: client 78.147.15.229#61999: update 'bathspa.ac.uk/IN' denied
Apr 13 09:32:46 NPLNX-ANS0 named[2747]: client 78.147.15.229#54263: update 'bathspa.ac.uk/IN' denied
Apr 13 09:32:49 NPLNX-ANS0 named[2747]: client 78.147.15.229#49859: update 'bathspa.ac.uk/IN' denied
Apr 13 09:42:47 NPLNX-ANS0 named[2747]: client 2.100.183.132#50642: update 'bathspa.ac.uk/IN' denied
Apr 13 09:56:48 NPLNX-ANS0 named[2747]: client 195.246.108.107#21969: update 'bathspa.ac.uk/IN' denied
Apr 13 10:01:28 NPLNX-ANS0 named[2747]: client 90.221.134.30#63756: update 'bathspa.ac.uk/IN' denied
...this is just a snippet there are loads.

I suspect this is just web bots / hackers attempting to transfer the zone file using nslookup or something? And the server is denying it, so it's doing it's job, but is it something to worry about?

Also, to be thorough I ran a TCP Dump on the box just now and I'm seeing a lot of random queries come in:

Code:
    94.136.42.33.53560 > 192.168.254.80.domain: 46711% [1au] AAAA? ans1.bathspa.ac.uk. (47)
10:05:49.524159 IP (tos 0x0, ttl 50, id 55717, offset 0, flags [none], proto UDP (17), length 70)
    94.136.42.33.35587 > 192.168.254.80.domain: 28644% [1au] A? bathspa.ac.uk. (42)
10:05:52.728787 IP (tos 0x0, ttl 240, id 29133, offset 0, flags [DF], proto UDP (17), length 74)
    87.237.17.177.10407 > 192.168.254.80.domain: 16111 [1au] A? web.bathspa.ac.uk. (46)
10:05:54.519622 IP (tos 0x0, ttl 49, id 2768, offset 0, flags [none], proto UDP (17), length 70)
    91.192.40.13.63969 > 192.168.254.80.domain: 47786 [1au] MX? bathspa.ac.uk. (42)
10:06:03.094465 IP (tos 0x0, ttl 48, id 17148, offset 0, flags [none], proto UDP (17), length 66)
    157.56.96.7.51567 > 192.168.254.80.domain: 65157 TXT? _dmarc.bathspa.ac.uk. (38)
10:06:10.309209 IP (tos 0x0, ttl 49, id 48512, offset 0, flags [none], proto UDP (17), length 70)
    46.236.37.138.32486 > 192.168.254.80.domain: 43998% [1au] MX? bathspa.ac.uk. (42)
10:06:10.410928 IP (tos 0x0, ttl 50, id 39903, offset 0, flags [none], proto UDP (17), length 70)
    50.97.49.245.12183 > 192.168.254.80.domain: 14249% [1au] MX? bathspa.ac.uk. (42)
10:06:14.588607 IP (tos 0x0, ttl 55, id 23301, offset 0, flags [none], proto UDP (17), length 83)
    90.207.224.75.8547 > 192.168.254.80.domain: 38136% [1au] A? applications.bathspa.ac.uk. (55)
10:06:22.517569 IP (tos 0x0, ttl 240, id 48107, offset 0, flags [DF], proto UDP (17), length 74)
    87.237.17.173.15792 > 192.168.254.80.domain: 25323 [1au] A? web.bathspa.ac.uk. (46)
10:06:24.704393 IP (tos 0x0, ttl 52, id 15681, offset 0, flags [none], proto UDP (17), length 80)
    62.24.180.230.23753 > 192.168.254.80.domain: 60147% [1au] A? artdesign.bathspa.ac.uk. (52)
10:06:25.487860 IP (tos 0x0, ttl 79, id 8956, offset 0, flags [none], proto UDP (17), length 74)
    31.13.100.126.61312 > 192.168.254.80.domain: 26853% [1au] AAAA? ns0.bathspa.ac.uk. (46)
10:06:25.644535 IP (tos 0x0, ttl 78, id 3195, offset 0, flags [none], proto UDP (17), length 74)
    31.13.100.125.50822 > 192.168.254.80.domain: 65099% [1au] AAAA? ns0.bathspa.ac.uk. (46)
10:06:25.772564 IP (tos 0x0, ttl 79, id 57265, offset 0, flags [none], proto UDP (17), length 74)
    31.13.100.124.52360 > 192.168.254.80.domain: 53788% [1au] AAAA? ns1.bathspa.ac.uk. (46)
10:06:25.800222 IP (tos 0x0, ttl 79, id 17241, offset 0, flags [none], proto UDP (17), length 74)
    31.13.100.127.19320 > 192.168.254.80.domain: 39302% [1au] AAAA? ns1.bathspa.ac.uk. (46)
10:06:25.800250 IP (tos 0x0, ttl 78, id 17242, offset 0, flags [none], proto UDP (17), length 75)
    31.13.100.127.3371 > 192.168.254.80.domain: 5615% [1au] AAAA? ans1.bathspa.ac.uk. (47)
10:06:26.164105 IP (tos 0x0, ttl 52, id 35959, offset 0, flags [DF], proto UDP (17), length 59)
    82.165.226.7.55058 > 192.168.254.80.domain: 62973 MX? bathspa.ac.uk. (31)
...again just a snippet.

Again I assume this is just random broadcast traffic, but the reason I question it is that this server is not authoritative yet and hasn't been listed by our registrar... So, is it just that the web bots or something have discovered a new live server on our range and are just playing?

Any advice appreciated.

Thanks
Jon

T3RM1NVT0R 04-13-2015 06:54 AM
Code:
Apr 13 09:14:03 NPLNX-ANS0 named[2747]: client 94.195.230.116#53487: update 'bathspa.ac.uk/IN' denied
Apr 13 09:14:47 NPLNX-ANS0 named[2747]: client 87.112.1.11#62739: update 'bathspa.ac.uk/IN' denied
Apr 13 09:14:47 NPLNX-ANS0 named[2747]: client 87.112.1.11#62741: update 'bathspa.ac.uk/IN' denied
Apr 13 09:17:01 NPLNX-ANS0 named[2747]: client 85.211.191.43#61096: update 'bathspa.ac.uk/IN' denied
Apr 13 09:18:21 NPLNX-ANS0 named[2747]: client 195.246.108.107#48039: update 'bathspa.ac.uk/IN' denied
Apr 13 09:23:08 NPLNX-ANS0 named[2747]: client 192.168.247.127#65425: update 'bathspa.ac.uk/IN' denied
Apr 13 09:24:48 NPLNX-ANS0 named[2747]: client 87.112.1.11#62796: update 'bathspa.ac.uk/IN' denied
Apr 13 09:27:02 NPLNX-ANS0 named[2747]: client 85.211.191.43#50891: update 'bathspa.ac.uk/IN' denied
Apr 13 09:28:08 NPLNX-ANS0 named[2747]: client 192.168.247.127#59315: update 'bathspa.ac.uk/IN' denied
Apr 13 09:29:48 NPLNX-ANS0 named[2747]: client 87.112.1.11#62833: update 'bathspa.ac.uk/IN' denied
Apr 13 09:32:02 NPLNX-ANS0 named[2747]: client 85.211.191.43#53214: update 'bathspa.ac.uk/IN' denied
Apr 13 09:32:44 NPLNX-ANS0 named[2747]: client 78.147.15.229#58450: update 'bathspa.ac.uk/IN' denied
Apr 13 09:32:44 NPLNX-ANS0 named[2747]: client 78.147.15.229#60869: update 'bathspa.ac.uk/IN' denied
Apr 13 09:32:44 NPLNX-ANS0 named[2747]: client 78.147.15.229#61999: update 'bathspa.ac.uk/IN' denied
Apr 13 09:32:46 NPLNX-ANS0 named[2747]: client 78.147.15.229#54263: update 'bathspa.ac.uk/IN' denied
Apr 13 09:32:49 NPLNX-ANS0 named[2747]: client 78.147.15.229#49859: update 'bathspa.ac.uk/IN' denied
Apr 13 09:42:47 NPLNX-ANS0 named[2747]: client 2.100.183.132#50642: update 'bathspa.ac.uk/IN' denied
Apr 13 09:56:48 NPLNX-ANS0 named[2747]: client 195.246.108.107#21969: update 'bathspa.ac.uk/IN' denied
Apr 13 10:01:28 NPLNX-ANS0 named[2747]: client 90.221.134.30#63756: update 'bathspa.ac.uk/IN' denied
Do you have dynamic DNS enabled for this DNS server? Messages appear to be because of that. What it is saying it denied the update for obvious reason because the machine which tried to update doesn't match the TSIG keys and DNS didn't allow it to update, fair enough. My question is why you need DDNS on public DNS server? They wouldn't be able to update but they can definitely fill your log file for no reason. This is something you would like to check in your DNS config if you have DDNS enabled.

Code:
    94.136.42.33.53560 > 192.168.254.80.domain: 46711% [1au] AAAA? ans1.bathspa.ac.uk. (47)
10:05:49.524159 IP (tos 0x0, ttl 50, id 55717, offset 0, flags [none], proto UDP (17), length 70)
    94.136.42.33.35587 > 192.168.254.80.domain: 28644% [1au] A? bathspa.ac.uk. (42)
10:05:52.728787 IP (tos 0x0, ttl 240, id 29133, offset 0, flags [DF], proto UDP (17), length 74)
    87.237.17.177.10407 > 192.168.254.80.domain: 16111 [1au] A? web.bathspa.ac.uk. (46)
10:05:54.519622 IP (tos 0x0, ttl 49, id 2768, offset 0, flags [none], proto UDP (17), length 70)
    91.192.40.13.63969 > 192.168.254.80.domain: 47786 [1au] MX? bathspa.ac.uk. (42)
10:06:03.094465 IP (tos 0x0, ttl 48, id 17148, offset 0, flags [none], proto UDP (17), length 66)
    157.56.96.7.51567 > 192.168.254.80.domain: 65157 TXT? _dmarc.bathspa.ac.uk. (38)
10:06:10.309209 IP (tos 0x0, ttl 49, id 48512, offset 0, flags [none], proto UDP (17), length 70)
    46.236.37.138.32486 > 192.168.254.80.domain: 43998% [1au] MX? bathspa.ac.uk. (42)
10:06:10.410928 IP (tos 0x0, ttl 50, id 39903, offset 0, flags [none], proto UDP (17), length 70)
    50.97.49.245.12183 > 192.168.254.80.domain: 14249% [1au] MX? bathspa.ac.uk. (42)
10:06:14.588607 IP (tos 0x0, ttl 55, id 23301, offset 0, flags [none], proto UDP (17), length 83)
    90.207.224.75.8547 > 192.168.254.80.domain: 38136% [1au] A? applications.bathspa.ac.uk. (55)
10:06:22.517569 IP (tos 0x0, ttl 240, id 48107, offset 0, flags [DF], proto UDP (17), length 74)
    87.237.17.173.15792 > 192.168.254.80.domain: 25323 [1au] A? web.bathspa.ac.uk. (46)
10:06:24.704393 IP (tos 0x0, ttl 52, id 15681, offset 0, flags [none], proto UDP (17), length 80)
    62.24.180.230.23753 > 192.168.254.80.domain: 60147% [1au] A? artdesign.bathspa.ac.uk. (52)
10:06:25.487860 IP (tos 0x0, ttl 79, id 8956, offset 0, flags [none], proto UDP (17), length 74)
    31.13.100.126.61312 > 192.168.254.80.domain: 26853% [1au] AAAA? ns0.bathspa.ac.uk. (46)
10:06:25.644535 IP (tos 0x0, ttl 78, id 3195, offset 0, flags [none], proto UDP (17), length 74)
    31.13.100.125.50822 > 192.168.254.80.domain: 65099% [1au] AAAA? ns0.bathspa.ac.uk. (46)
10:06:25.772564 IP (tos 0x0, ttl 79, id 57265, offset 0, flags [none], proto UDP (17), length 74)
    31.13.100.124.52360 > 192.168.254.80.domain: 53788% [1au] AAAA? ns1.bathspa.ac.uk. (46)
10:06:25.800222 IP (tos 0x0, ttl 79, id 17241, offset 0, flags [none], proto UDP (17), length 74)
    31.13.100.127.19320 > 192.168.254.80.domain: 39302% [1au] AAAA? ns1.bathspa.ac.uk. (46)
10:06:25.800250 IP (tos 0x0, ttl 78, id 17242, offset 0, flags [none], proto UDP (17), length 75)
    31.13.100.127.3371 > 192.168.254.80.domain: 5615% [1au] AAAA? ans1.bathspa.ac.uk. (47)
10:06:26.164105 IP (tos 0x0, ttl 52, id 35959, offset 0, flags [DF], proto UDP (17), length 59)
    82.165.226.7.55058 > 192.168.254.80.domain: 62973 MX? bathspa.ac.uk. (31)
Yes web bots do perform check, I have seen them doing for my website but you have to see the pattern. If they are doing once in a while that is fine but if it is excess then there is a problem.

In the dump logs I can see they are trying to perform resolution for your hosts and not for any other hosts. I hope you have recursion disabled on the server just to avoid it being doomed by excessive queries from someone.

jonnybinthemix 04-13-2015 07:03 AM
Hey,

Thanks for the reply...

This is what my conf looks like, I've not enabled ddns and recursion is off, as it's authoritative.. but should I explicitly set ddns to off? Is it on by default?


Code:
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory      "/var/named";
        dump-file      "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursion no;
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};
Notify and transfer is configured on a per zone basis as below:

Code:
zone "bathspa.ac.uk" IN {
        type master;
        file "bathspa.ac.uk.dns";
        allow-transfer { 192.168.252.11; };
        allow-query { any; };
        notify yes;
        also-notify { 192.168.252.11; };
};

jonnybinthemix 04-13-2015 07:14 AM
UPDATE:

I added the following to the global options:

Code:
allow-update { none; };
However a quick check of the logs shows that it's done nothing... Still getting denied updates.

Code:
Apr 13 13:10:25 NPLNX-ANS0 named[15641]: client 192.168.247.127#63114: update 'bathspa.ac.uk/IN' denied
Apr 13 13:10:26 NPLNX-ANS0 named[15641]: client 192.168.247.127#56271: update 'bathspa.ac.uk/IN' denied
Apr 13 13:12:27 NPLNX-ANS0 named[15641]: client 81.170.59.92#28086: update 'bathspa.ac.uk/IN' denied
Apr 13 13:12:53 NPLNX-ANS0 named[15641]: client 78.147.15.229#50604: update 'bathspa.ac.uk/IN' denied
Apr 13 13:12:53 NPLNX-ANS0 named[15641]: client 78.147.15.229#57444: update 'bathspa.ac.uk/IN' denied
Apr 13 13:13:02 NPLNX-ANS0 named[15641]: client 81.170.59.92#28118: update 'bathspa.ac.uk/IN' denied
Apr 13 13:13:02 NPLNX-ANS0 named[15641]: client 81.170.59.92#28119: update 'bathspa.ac.uk/IN' denied
Am I right in saying that if it were DDNS causing this issue that, the above mentioned directive in the conf should stop it from happening?

jonnybinthemix 04-13-2015 07:23 AM
Another update:

Looking at things closer and just to be thorough, I've added the added to following to global conf:

Code:
allow-transfer { none; };
allow-update { none; };
allow-recursion { none; };
recursion no;
If I remember correctly the zone options over-ride the global options? So, allow-transfer { x.x.x.x; }; - should still allow transfers to the slave?? Although as I'm typing I guess I don't really need to add allow-transfer to each zone as the slave is a listed NS in SOA so zone transfers would happen anyway when the zone expires?

Thanks
Jon

jonnybinthemix 04-13-2015 07:27 AM
Apologies for the spamming of replies.. just wanted to let you know that the above did not resolve this either..

Code:
Apr 13 13:26:04 NPLNX-ANS0 named[15736]: client 2.99.232.110#50240: update 'bathspa.ac.uk/IN' denied

T3RM1NVT0R 04-13-2015 07:37 AM
By default in bind9 allow update is set to none so you don't have to specify it explicitly. If you don't have DDNS enabled as I can see from the conf file you don't have to worry.

I might be mistaken but I have seen similar kind of entries 2-3 years back in one of my infra wherein we had DDNS enabled and DHCP was trying to update entry for the zone which it wasn't authorized for.

Incase log file is growing big you might want to configure logrotate to be more stringent.

jonnybinthemix 04-13-2015 08:22 AM
Ah ok, thanks.. I suspected that it was not set to allow by default.

So any other ideas as to what could be causing this? Because it doesn't look right, these are being logged every 3-5 minutes.

T3RM1NVT0R 04-13-2015 02:18 PM
You might want to check your DNS here: http://dnscheck.pingdom.com/

Also it will be a good idea to check with ISP on why you getting such excessive request. I have done a random check on the IPs which accessed this server and they are from UK. Some were from councils and some were from ISP. So, it will be a good idea to check with your ISP on this.

T3RM1NVT0R 04-13-2015 02:32 PM
You said that you are moving from Windows to Linux DNS servers. Have your ever seen such stuff with Windows DNS. Did you check with registrar if this is due to the fact the name servers are still not made authoritative for your domain? Though I doubt it will make a difference because the log entries are for your domain if I am not wrong but still a check which you can perform.

kpt65 04-16-2015 02:34 PM
Quote:
Originally Posted by jonnybinthemix (Post 5346634)
UPDATE:

I added the following to the global options:

Code:
allow-update { none; };
However a quick check of the logs shows that it's done nothing... Still getting denied updates.

Code:
Apr 13 13:10:25 NPLNX-ANS0 named[15641]: client 192.168.247.127#63114: update 'bathspa.ac.uk/IN' denied
Apr 13 13:10:26 NPLNX-ANS0 named[15641]: client 192.168.247.127#56271: update 'bathspa.ac.uk/IN' denied
Apr 13 13:12:27 NPLNX-ANS0 named[15641]: client 81.170.59.92#28086: update 'bathspa.ac.uk/IN' denied
Apr 13 13:12:53 NPLNX-ANS0 named[15641]: client 78.147.15.229#50604: update 'bathspa.ac.uk/IN' denied
Apr 13 13:12:53 NPLNX-ANS0 named[15641]: client 78.147.15.229#57444: update 'bathspa.ac.uk/IN' denied
Apr 13 13:13:02 NPLNX-ANS0 named[15641]: client 81.170.59.92#28118: update 'bathspa.ac.uk/IN' denied
Apr 13 13:13:02 NPLNX-ANS0 named[15641]: client 81.170.59.92#28119: update 'bathspa.ac.uk/IN' denied
Am I right in saying that if it were DDNS causing this issue that, the above mentioned directive in the conf should stop it from happening?
Um, those "clients" are trying to update your zone (as in, misconfigured DDNS client). Have you found out what they are? Are they yours or someone else's?

jonnybinthemix 04-30-2015 04:03 AM
Hey,

Sorry for the delay..

I never did figure out what was happening there, just assumed that as they are being denied I guess it's not causing that much of an issue.

They aren't our clients, they look to be from varying places..

Strange right?


All times are GMT -5. The time now is 09:07 PM.