DNS Question
Hey Chap,
Hope you're all well and had a cracking Easter etc. I have a quick question, I think it's nothing to worry about but I'd like to ask for some advice if I may. I have recently built a couple of Bind 9 DNS Servers to replace our Windows public nameservers. I'm in the final stages of testing and everything is looking good.. however this morning I took a look in /var/log/messages and discovered the following: Code:
Apr 13 09:14:03 NPLNX-ANS0 named[2747]: client 94.195.230.116#53487: update 'bathspa.ac.uk/IN' denied I suspect this is just web bots / hackers attempting to transfer the zone file using nslookup or something? And the server is denying it, so it's doing it's job, but is it something to worry about? Also, to be thorough I ran a TCP Dump on the box just now and I'm seeing a lot of random queries come in: Code:
94.136.42.33.53560 > 192.168.254.80.domain: 46711% [1au] AAAA? ans1.bathspa.ac.uk. (47) Again I assume this is just random broadcast traffic, but the reason I question it is that this server is not authoritative yet and hasn't been listed by our registrar... So, is it just that the web bots or something have discovered a new live server on our range and are just playing? Any advice appreciated. Thanks Jon |
Code:
Apr 13 09:14:03 NPLNX-ANS0 named[2747]: client 94.195.230.116#53487: update 'bathspa.ac.uk/IN' denied Code:
94.136.42.33.53560 > 192.168.254.80.domain: 46711% [1au] AAAA? ans1.bathspa.ac.uk. (47) In the dump logs I can see they are trying to perform resolution for your hosts and not for any other hosts. I hope you have recursion disabled on the server just to avoid it being doomed by excessive queries from someone. |
Hey,
Thanks for the reply... This is what my conf looks like, I've not enabled ddns and recursion is off, as it's authoritative.. but should I explicitly set ddns to off? Is it on by default? Code:
options { Code:
zone "bathspa.ac.uk" IN { |
UPDATE:
I added the following to the global options: Code:
allow-update { none; }; Code:
Apr 13 13:10:25 NPLNX-ANS0 named[15641]: client 192.168.247.127#63114: update 'bathspa.ac.uk/IN' denied |
Another update:
Looking at things closer and just to be thorough, I've added the added to following to global conf: Code:
allow-transfer { none; }; Thanks Jon |
Apologies for the spamming of replies.. just wanted to let you know that the above did not resolve this either..
Code:
Apr 13 13:26:04 NPLNX-ANS0 named[15736]: client 2.99.232.110#50240: update 'bathspa.ac.uk/IN' denied |
By default in bind9 allow update is set to none so you don't have to specify it explicitly. If you don't have DDNS enabled as I can see from the conf file you don't have to worry.
I might be mistaken but I have seen similar kind of entries 2-3 years back in one of my infra wherein we had DDNS enabled and DHCP was trying to update entry for the zone which it wasn't authorized for. Incase log file is growing big you might want to configure logrotate to be more stringent. |
Ah ok, thanks.. I suspected that it was not set to allow by default.
So any other ideas as to what could be causing this? Because it doesn't look right, these are being logged every 3-5 minutes. |
You might want to check your DNS here: http://dnscheck.pingdom.com/
Also it will be a good idea to check with ISP on why you getting such excessive request. I have done a random check on the IPs which accessed this server and they are from UK. Some were from councils and some were from ISP. So, it will be a good idea to check with your ISP on this. |
You said that you are moving from Windows to Linux DNS servers. Have your ever seen such stuff with Windows DNS. Did you check with registrar if this is due to the fact the name servers are still not made authoritative for your domain? Though I doubt it will make a difference because the log entries are for your domain if I am not wrong but still a check which you can perform.
|
Quote:
|
Hey,
Sorry for the delay.. I never did figure out what was happening there, just assumed that as they are being denied I guess it's not causing that much of an issue. They aren't our clients, they look to be from varying places.. Strange right? |
All times are GMT -5. The time now is 09:07 PM. |