Re: Bind 9 not responding to queries
Ok Stephane There's no firewall or IPS in front of the DNS. Only the Centos firewall policy permitting dns traffic. Sure, I will take the tcpdump and revert Thanks & Best Regards Isaac On Sun, 12 Apr 2020, 3:48 pm Stephane Bortzmeyer, wrote: > On Sun, Apr 12, 2020 at 01:41:52AM +, > sir izake wrote > a message of 153 lines which said: > > > At specific times of day bind fails to respond to queries even > > though service is shown to run (configured to respond to my network > > IPs, this works fine till this time when service fails to answer > > queries) > > The problem may be because of another component in your network. Are > you sure there is not some sort of firewall or IPS in front of BIND, > which decided to drop packets? Check with tcpdump or similar tools > that the machine with BIND does receive the queries. > > > Apr 11 22:38:09 # kernel: TCP: request_sock_TCP: Possible SYN > flooding > > on port 53. Sending cookies. Check SNMP counters. > > This may indeed be a DoS attack but may be not. Check with tcpdump > what sort of traffic you receive. Also, the message is for TCP but DNS > works mostly with UDP so it may has nothing to do with your problem. > > > Could log point to DDoS attack ( how do i mitigate) > > It depends. There is no general rule to deal wih DoS attacks, you need > to investigate first. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9 not responding to queries
On Sun, Apr 12, 2020 at 01:41:52AM +, sir izake wrote a message of 153 lines which said: > At specific times of day bind fails to respond to queries even > though service is shown to run (configured to respond to my network > IPs, this works fine till this time when service fails to answer > queries) The problem may be because of another component in your network. Are you sure there is not some sort of firewall or IPS in front of BIND, which decided to drop packets? Check with tcpdump or similar tools that the machine with BIND does receive the queries. > Apr 11 22:38:09 # kernel: TCP: request_sock_TCP: Possible SYN flooding > on port 53. Sending cookies. Check SNMP counters. This may indeed be a DoS attack but may be not. Check with tcpdump what sort of traffic you receive. Also, the message is for TCP but DNS works mostly with UDP so it may has nothing to do with your problem. > Could log point to DDoS attack ( how do i mitigate) It depends. There is no general rule to deal wih DoS attacks, you need to investigate first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9 not responding to queries
Sir Izake, Any network troubleshooting starts with finding out what is being placed on the wire. In your particular example it sounds like you need to validate if this Cent box is seeing a SYN flood. You do this by using tcpdump. Assuming you only have one ethernet adapter (which by extension rules out its use as a proxy or a bridge) you would issue the following command: sudo tcpdump 'tcp[13] & 2!=0' You should see something like this start showing up: 10:27:43.627614 IP 197.2.11.116.33465 > 10.41.32.21.domain: Flags [S], seq 166424657, win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0 Source IP is on the left of the > and destination IP is on the right. From there you can begin to make informed decisions about your next steps. Finally, if you have never used tcpdump here is a great resource to get started with on how to play around with the different commands: https://danielmiessler.com/study/tcpdump/ Good hunting! John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of sir izake Sent: Saturday, April 11, 2020 8:42 PM To: bind-users@lists.isc.org Subject: Bind 9 not responding to queries Hi Support I have installed BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el8 on CentOS Linux release 8.1.1911. I have configured bind as a recursive server for my network. At specific times of day bind fails to respond to queries even though service is shown to run (configured to respond to my network IPs, this works fine till this time when service fails to answer queries) I have looked through the logs and found below ; Apr 10 20:12:43 # automatic empty zone: B.E.F.IP6.ARPA Apr 10 20:12:43 # named[25445]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.AR<http://8.B.D.0.1.0.0.2.IP6.AR>> Apr 10 20:12:43 # named[25445]: automatic empty zone: EMPTY.AS112.ARPA Apr 10 20:12:43 # named[25445]: automatic empty zone: HOME.ARPA Apr 10 20:12:43 # named[25445]: none:103: 'max-cache-size 90%' - setting to > Apr 10 20:12:44 # # named[25445]: configuring command channel from '/etc/rndc.> Apr 10 20:12:44 # named[25445]: command channel listening on 127.0.0.1#953 Apr 10 20:12:44 # named[25445]: configuring command channel from '/etc/rndc.> Apr 10 20:12:44 # named[25445]: command channel listening on ::1#953 others Apr 11 22:38:01 # systemd[1]: Started Session 29 of user ABC. Apr 11 22:38:04 # dbus-daemon[13352]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service' requested by ':1.24116' (uid=0 pid=5364 comm="su - " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") Apr 11 22:38:04 # systemd[1]: Starting Fingerprint Authentication Daemon... Apr 11 22:38:04 # dbus-daemon[13352]: [system] Successfully activated service 'net.reactivated.Fprint' Apr 11 22:38:04 # systemd[1]: Started Fingerprint Authentication Daemon. Apr 11 22:38:09 # kernel: TCP: request_sock_TCP: Possible SYN flooding on port 53. Sending cookies. Check SNMP counters. Could log point to DDoS attack ( how do i mitigate) I have tried to update bind but it looks like its the stable for Centos 8 Please advise what can be done to prevent the intermittent failures Regards Isaac ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9 not responding to queries
Hi Support I have installed BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el8 on CentOS Linux release 8.1.1911. I have configured bind as a recursive server for my network. At specific times of day bind fails to respond to queries even though service is shown to run (configured to respond to my network IPs, this works fine till this time when service fails to answer queries) I have looked through the logs and found below ; Apr 10 20:12:43 # automatic empty zone: B.E.F.IP6.ARPA Apr 10 20:12:43 # named[25445]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.AR> Apr 10 20:12:43 # named[25445]: automatic empty zone: EMPTY.AS112.ARPA Apr 10 20:12:43 # named[25445]: automatic empty zone: HOME.ARPA Apr 10 20:12:43 # named[25445]: none:103: 'max-cache-size 90%' - setting to > Apr 10 20:12:44 # # named[25445]: configuring command channel from '/etc/rndc.> Apr 10 20:12:44 # named[25445]: command channel listening on 127.0.0.1#953 Apr 10 20:12:44 # named[25445]: configuring command channel from '/etc/rndc.> Apr 10 20:12:44 # named[25445]: command channel listening on ::1#953 others Apr 11 22:38:01 # systemd[1]: Started Session 29 of user ABC. Apr 11 22:38:04 # dbus-daemon[13352]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service' requested by ':1.24116' (uid=0 pid=5364 comm="su - " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") Apr 11 22:38:04 # systemd[1]: Starting Fingerprint Authentication Daemon... Apr 11 22:38:04 # dbus-daemon[13352]: [system] Successfully activated service 'net.reactivated.Fprint' Apr 11 22:38:04 # systemd[1]: Started Fingerprint Authentication Daemon. Apr 11 22:38:09 # kernel: TCP: request_sock_TCP: Possible SYN flooding on port 53. Sending cookies. Check SNMP counters. Could log point to DDoS attack ( how do i mitigate) I have tried to update bind but it looks like its the stable for Centos 8 Please advise what can be done to prevent the intermittent failures Regards Isaac ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users