Re: outgoing-traffic
I thought port 0 was never valid as either source or destination. On Wed, 27 Jul 2016 11:22:06 +0300 "Ejaz" <me...@cyberia.net.sa> wrote: > > Thanks you. > > The traffic will go to router which is handled by the Network dept. > The fear that may router can crash if we start enabling the > packet capture since it is layer 7. > > Is advisable, if we deny outbound UDP port 0 from the DNS servers, > after enabling firewall. > > > Ejaz > > -Original Message- > From: S Carr [mailto:sjc...@gmail.com] > Sent: Wednesday, July 27, 2016 10:51 AM > To: Ejaz <me...@cyberia.net.sa> > Cc: bind-users <bind-users@lists.isc.org> > Subject: Re: outgoing-traffic > > On 27 July 2016 at 08:41, Ejaz <me...@cyberia.net.sa> wrote: > > Thanks for all. > > > > But the strange thing is that if the request comes on 53 port then > > it should go only from 53 is it?? Why goes out from 0, any clue > > would be highly appreciate. > > > > Regards > > Ejaz > > Where's the packet capture to review? > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: outgoing-traffic
On 27 July 2016 at 15:10, Matus UHLAR - fantomaswrote: however, if no responses will come from his server, it's more likely that the queries will stop. On 27.07.16 15:19, S Carr wrote: If you look at the capture there doesn't appear to be any responses being sent for the ANY queries to start with, yet the queries keep coming. you seem to be the only one who got the capture (in a private mail). (and no, I'm not interested in seeing it anymore, I trust you). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh". ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: outgoing-traffic
On 27 July 2016 at 15:10, Matus UHLAR - fantomaswrote: > however, if no responses will come from his server, it's more likely that > the queries will stop. If you look at the capture there doesn't appear to be any responses being sent for the ANY queries to start with, yet the queries keep coming. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
> Denying the request isn't going to solve anything in this case, they are > still going to repeatedly ask for it and the traffic has already hit your > system before ANY queries would be denied. Agreed but at least it minimize the problem, as if request is 50 bytes and then response also 50 bytes not more than that?? Ejaz -Original Message- From: S Carr [mailto:sjc...@gmail.com] Sent: Wednesday, July 27, 2016 4:58 PM To: Ejaz <me...@cyberia.net.sa> Cc: bind-users <bind-users@lists.isc.org> Subject: Re: outgoing-traffic On 27 July 2016 at 14:44, Ejaz <me...@cyberia.net.sa> wrote: > Such as, if someone is sending ANY request , by default it should be denied > when users requests for it.. Denying the request isn't going to solve anything in this case, they are still going to repeatedly ask for it and the traffic has already hit your system before ANY queries would be denied. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: outgoing-traffic
On 27 July 2016 at 14:44, Ejazwrote: Such as, if someone is sending ANY request , by default it should be denied when users requests for it.. On 27.07.16 14:57, S Carr wrote: Denying the request isn't going to solve anything in this case, they are still going to repeatedly ask for it and the traffic has already hit your system before ANY queries would be denied. however, if no responses will come from his server, it's more likely that the queries will stop. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
Oh I am sorry for my misunderstanding.. I was thinking 9.1.1 not 9.11. ok that is fine.. will upgrade it to 911 and I will see if it control. Thank you so much for all. Ejaz -Original Message- From: Reindl Harald [mailto:h.rei...@thelounge.net] Sent: Wednesday, July 27, 2016 4:58 PM To: Ejaz <me...@cyberia.net.sa> Cc: 'bind-users' <bind-users@lists.isc.org> Subject: Re: outgoing-traffic Am 27.07.2016 um 15:55 schrieb Ejaz: > You mean I need to downgrade my bind to 9.11, as my current version is > "*BIND 9.9.2-P1"* in which country is 11 smaller than 9 9.11 is the *next* upcoming version > -Original Message- > From: Tony Finch [mailto:d...@dotat.at] > Sent: Wednesday, July 27, 2016 4:49 PM > To: Ejaz <me...@cyberia.net.sa> > Cc: 'S Carr' <sjc...@gmail.com>; 'bind-users' > <bind-users@lists.isc.org> > Subject: RE: outgoing-traffic > > Ejaz <me...@cyberia.net.sa <mailto:me...@cyberia.net.sa>> wrote: > >> Such as, if someone is sending ANY request , by default it should be >> denied when users requests for it.. > > BIND 9.11 will have a minimal-any option. > > https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any > https://lists.isc.org/pipermail/bind-users/2016-July/097226.html ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: outgoing-traffic
On 27 July 2016 at 14:44, Ejazwrote: > Such as, if someone is sending ANY request , by default it should be denied > when users requests for it.. Denying the request isn't going to solve anything in this case, they are still going to repeatedly ask for it and the traffic has already hit your system before ANY queries would be denied. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
Hello, You mean I need to downgrade my bind to 9.11, as my current version is "BIND 9.9.2-P1" Ejaz -Original Message- From: Tony Finch [mailto:d...@dotat.at] Sent: Wednesday, July 27, 2016 4:49 PM To: Ejaz <me...@cyberia.net.sa> Cc: 'S Carr' <sjc...@gmail.com>; 'bind-users' <bind-users@lists.isc.org> Subject: RE: outgoing-traffic Ejaz < <mailto:me...@cyberia.net.sa> me...@cyberia.net.sa> wrote: > > Such as, if someone is sending ANY request , by default it should be > denied when users requests for it.. BIND 9.11 will have a minimal-any option. <https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any <https://lists.isc.org/pipermail/bind-users/2016-July/097226.html> https://lists.isc.org/pipermail/bind-users/2016-July/097226.html Tony. -- f.anthony.n.finch < <mailto:d...@dotat.at> d...@dotat.at> <http://dotat.at/> http://dotat.at/ - I xn--zr8h punycode Southeast Thames, Dover, Wight, Portland, Plymouth, North Biscay: Westerly or southwesterly 5 or 6. Moderate. Occasional drizzle. Moderate or poor, occasionally good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
Ejazwrote: > > Such as, if someone is sending ANY request , by default it should be > denied when users requests for it.. BIND 9.11 will have a minimal-any option. https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any https://lists.isc.org/pipermail/bind-users/2016-July/097226.html Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Southeast Thames, Dover, Wight, Portland, Plymouth, North Biscay: Westerly or southwesterly 5 or 6. Moderate. Occasional drizzle. Moderate or poor, occasionally good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
Really I appreciate sparing such long time to trace out the problem and sending such detail email. Is there any other security measure from the DNS level to control such attacks. Instead of blocking IP which is either from my linux machine or from my network side. Such as, if someone is sending ANY request , by default it should be denied when users requests for it.. Ejaz -Original Message- From: S Carr [mailto:sjc...@gmail.com] Sent: Wednesday, July 27, 2016 4:19 PM To: Ejaz <me...@cyberia.net.sa> Cc: bind-users <bind-users@lists.isc.org> Subject: Re: outgoing-traffic On 27 July 2016 at 13:33, Ejaz <me...@cyberia.net.sa> wrote: > Thank you so much Abdul for you instant support. > > As requested, Find the attached. So the 3 IPs (212.118.122.99-101) are continuously sending ANY requests for cpsc.gov No responses I can see are going from port 0, they are coming in on 53 and BIND is responding on a random high port The subnet 212.118.122.0/24 appears to be mapped to your company's DNS for reverse lookups and .99 shows that it is supposedly the system mail.electro.com.sa (though the forward lookup does not map to the same as the reverse). It also looks like you are providing a recursive DNS service for these IP addresses, in frame 118047 you respond to the client with an NXDOMAIN response as the query they asked has a random "\r" on it. Are you meant to be providing recursive DNS for these clients? The random "\r" looks to me like something has been scripted (albeit poorly) to run against your systems. As this is probably one of your customers have you tried contacting them to find out why their systems are sending all of these requests? It could be simple misconfiguration or they could have been affected by some malware that's generating DNS noise/attacks. You could look at putting iptables on your Linux box to provide another layer of filtering and block the requests locally, or ask your network team to block those IPs, then wait for the customer to shout. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: outgoing-traffic
On 27 July 2016 at 13:33, Ejazwrote: > Thank you so much Abdul for you instant support. > > As requested, Find the attached. So the 3 IPs (212.118.122.99-101) are continuously sending ANY requests for cpsc.gov No responses I can see are going from port 0, they are coming in on 53 and BIND is responding on a random high port The subnet 212.118.122.0/24 appears to be mapped to your company's DNS for reverse lookups and .99 shows that it is supposedly the system mail.electro.com.sa (though the forward lookup does not map to the same as the reverse). It also looks like you are providing a recursive DNS service for these IP addresses, in frame 118047 you respond to the client with an NXDOMAIN response as the query they asked has a random "\r" on it. Are you meant to be providing recursive DNS for these clients? The random "\r" looks to me like something has been scripted (albeit poorly) to run against your systems. As this is probably one of your customers have you tried contacting them to find out why their systems are sending all of these requests? It could be simple misconfiguration or they could have been affected by some malware that's generating DNS noise/attacks. You could look at putting iptables on your Linux box to provide another layer of filtering and block the requests locally, or ask your network team to block those IPs, then wait for the customer to shout. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
Did not find any attachment. Ejaz <me...@cyberia.net.sa> wrote: >Thank you so much Abdul for you instant support. > >As requested, Find the attached. > > >Ejaz >-Original Message- >From: akha...@ies.etisalat.ae [mailto:akha...@ies.etisalat.ae] >Sent: Wednesday, July 27, 2016 3:04 PM >To: Ejaz <me...@cyberia.net.sa>; 'S Carr' <sjc...@gmail.com> >Cc: bind-users@lists.isc.org >Subject: RE: outgoing-traffic > >You can use tcpdump on your DNS server to take the trace. > >Command would be like below. > >tcpdump -i any port 53 -w trace.pcap > >You can share trace.pcap with us. > >Regards >Abdul Khader > >Ejaz <me...@cyberia.net.sa> wrote: > >> >>Thanks you. >> >>The traffic will go to router which is handled by the Network dept. The fear >>that may router can crash if we start enabling the packet capture since it >>is layer 7. >> >>Is advisable, if we deny outbound UDP port 0 from the DNS servers, after >>enabling firewall. >> >> >>Ejaz >> >>-Original Message- >>From: S Carr [mailto:sjc...@gmail.com] >>Sent: Wednesday, July 27, 2016 10:51 AM >>To: Ejaz <me...@cyberia.net.sa> >>Cc: bind-users <bind-users@lists.isc.org> >>Subject: Re: outgoing-traffic >> >>On 27 July 2016 at 08:41, Ejaz <me...@cyberia.net.sa> wrote: >>> Thanks for all. >>> >>> But the strange thing is that if the request comes on 53 port then it >>> should go only from 53 is it?? Why goes out from 0, any clue would be >>> highly appreciate. >>> >>> Regards >>> Ejaz >> >>Where's the packet capture to review? >> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
You can use tcpdump on your DNS server to take the trace. Command would be like below. tcpdump -i any port 53 -w trace.pcap You can share trace.pcap with us. Regards Abdul Khader Ejaz <me...@cyberia.net.sa> wrote: > >Thanks you. > >The traffic will go to router which is handled by the Network dept. The fear >that may router can crash if we start enabling the packet capture since it >is layer 7. > >Is advisable, if we deny outbound UDP port 0 from the DNS servers, after >enabling firewall. > > >Ejaz > >-Original Message- >From: S Carr [mailto:sjc...@gmail.com] >Sent: Wednesday, July 27, 2016 10:51 AM >To: Ejaz <me...@cyberia.net.sa> >Cc: bind-users <bind-users@lists.isc.org> >Subject: Re: outgoing-traffic > >On 27 July 2016 at 08:41, Ejaz <me...@cyberia.net.sa> wrote: >> Thanks for all. >> >> But the strange thing is that if the request comes on 53 port then it >> should go only from 53 is it?? Why goes out from 0, any clue would be >> highly appreciate. >> >> Regards >> Ejaz > >Where's the packet capture to review? > >___ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >from this list > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
Thanks you. The traffic will go to router which is handled by the Network dept. The fear that may router can crash if we start enabling the packet capture since it is layer 7. Is advisable, if we deny outbound UDP port 0 from the DNS servers, after enabling firewall. Ejaz -Original Message- From: S Carr [mailto:sjc...@gmail.com] Sent: Wednesday, July 27, 2016 10:51 AM To: Ejaz <me...@cyberia.net.sa> Cc: bind-users <bind-users@lists.isc.org> Subject: Re: outgoing-traffic On 27 July 2016 at 08:41, Ejaz <me...@cyberia.net.sa> wrote: > Thanks for all. > > But the strange thing is that if the request comes on 53 port then it > should go only from 53 is it?? Why goes out from 0, any clue would be > highly appreciate. > > Regards > Ejaz Where's the packet capture to review? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: outgoing-traffic
On 27 July 2016 at 08:41, Ejazwrote: > Thanks for all. > > But the strange thing is that if the request comes on 53 port then it should > go only from 53 is it?? Why goes out from 0, any clue would be highly > appreciate. > > Regards > Ejaz Where's the packet capture to review? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
Thanks for all. But the strange thing is that if the request comes on 53 port then it should go only from 53 is it?? Why goes out from 0, any clue would be highly appreciate. Regards Ejaz -Original Message- From: Tony Finch [mailto:d...@dotat.at] Sent: Tuesday, July 26, 2016 4:12 PM To: S Carr <sjc...@gmail.com> Cc: Ejaz <me...@cyberia.net.sa>; bind-users <bind-users@lists.isc.org> Subject: Re: outgoing-traffic S Carr <sjc...@gmail.com> wrote: > > You might want to check whether the requests are legitimate before > completely blocking them, rate limiting would be a better option. Remember this is TCP traffic. RRL is designed to deal with spoofed UDP traffic. It can actually make non-spoofed floods worse, because RRL pushes UDP traffic to TCP, and TCP is very easy to saturate. You might find it helps to avoid truncated responses, e.g. by turning on the minimal-responses option. (See also minimal-any in BIND 9.11) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Southeast Iceland: Northerly or northwesterly 5 to 7, occasionally gale 8 until later in north. Moderate or rough. Occasional rain, fog patches. Moderate or good, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: outgoing-traffic
In message, Tony Finch writes: > S Carr wrote: > > > > You might want to check whether the requests are legitimate before > > completely blocking them, rate limiting would be a better option. > > Remember this is TCP traffic. > > RRL is designed to deal with spoofed UDP traffic. It can actually make > non-spoofed floods worse, because RRL pushes UDP traffic to TCP, and TCP > is very easy to saturate. > > You might find it helps to avoid truncated responses, e.g. by turning on > the minimal-responses option. (See also minimal-any in BIND 9.11) We need to go back to basics. What question is being ask and is there a sensible response being returned? Recursive servers don't keep asking questions over and over for no reason and this sounds like that is happening. > Tony. > -- > f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode > Southeast Iceland: Northerly or northwesterly 5 to 7, occasionally gale 8 > until later in north. Moderate or rough. Occasional rain, fog patches. > Moderate or good, occasionally very poor. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: outgoing-traffic
S Carrwrote: > > You might want to check whether the requests are legitimate before > completely blocking them, rate limiting would be a better option. Remember this is TCP traffic. RRL is designed to deal with spoofed UDP traffic. It can actually make non-spoofed floods worse, because RRL pushes UDP traffic to TCP, and TCP is very easy to saturate. You might find it helps to avoid truncated responses, e.g. by turning on the minimal-responses option. (See also minimal-any in BIND 9.11) Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Southeast Iceland: Northerly or northwesterly 5 to 7, occasionally gale 8 until later in north. Moderate or rough. Occasional rain, fog patches. Moderate or good, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: outgoing-traffic
Hi there, On Tue, 26 Jul 2016, Ejaz wrote: There is huge traffic coming out from my DNS server since yesterday and flooding the IP 212.107.121.110 ... Are you able to let us see your bind configuration? This might be IP spoofing, an attempted a DOS attack on the IP. Is there any reason why that IP should be allowed to query your nameserver? If not, then you should change your configuration so that only those clients who are expected to query the server are allowed to do so. The 'acl', 'allow-query' and 'allow-recursion' directives for the BIND configuration file enable you to do this. What operating system are you running on your server? If all else fails, in most cases it will be trivial to implement a local firewall rule or two - at least as a temporary measure until the, er, root of the problem is discovered and solved. Consider the TARPIT target. :) -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
Thanks for all the comments. One more thing I can control it through rate limit or block whole but the same thing happened to another network will be problem ?? See the packet capture from the network device the outgoing traffic passing from 0 port instead of 53. Why is that any clue. I mean bind application should not all other port instead 53?? Gi0/2 212.119.64.2Gi0/1 212.118.122.99 11 362K Gi0/2 212.119.64.3Gi0/1 212.118.122.99 11 66K Gi0/2 212.119.64.2Gi0/1 212.118.122.100 11 375K Gi0/2 212.119.64.3Gi0/1 212.118.122.100 11 68K Gi0/2 212.119.64.2Gi0/1 212.118.122.101 11 362K Gi0/2 212.119.64.3Gi0/1 212.118.122.101 11 66K Thanks in advance for your support. Ejaz -Original Message- From: Tony Finch [mailto:d...@dotat.at] Sent: Tuesday, July 26, 2016 11:54 AM To: Ejaz <me...@cyberia.net.sa> Cc: 'Abdul Khader' <akha...@ies.etisalat.ae>; bind-users@lists.isc.org Subject: RE: outgoing-traffic Ejaz < <mailto:me...@cyberia.net.sa> me...@cyberia.net.sa> wrote: > > I am not using iptable firewall from my redhat Linux box, all > traffic manged by network team.. Well then, you should co-operate with them to fix the problem. You might find that it helps to put the following in the options{} section of named.conf, but I'm not sure if it will be effective against a TCP flood attack. blackhole { 212.107.121.110; }; Tony. -- f.anthony.n.finch < <mailto:d...@dotat.at> d...@dotat.at> <http://dotat.at/> http://dotat.at/ - I xn--zr8h punycode Forties, Cromarty, Forth, Tyne, Dogger: West or southwest 4 or 5. Slight, occasionally moderate at first. Rain or showers. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: outgoing-traffic
On 26 July 2016 at 09:53, Tony Finchwrote: > Ejaz wrote: >> >> I am not using iptable firewall from my redhat Linux box, all traffic >> manged by network team.. You might want to check whether the requests are legitimate before completely blocking them, rate limiting would be a better option. $ dig +noall +answer -x 212.107.121.110 110.121.107.212.in-addr.arpa. 3531 INPTRmail1.alireza.com.sa. That IP address looks like it belongs to a mail server, and the alireza.com.sa zone is authoritative on your company's name servers, so it could be they have simply misconfigured their mailserver. $ dig +noall +answer alireza.com.sa NS alireza.com.sa.3468INNSns2.cyberia.net.sa. alireza.com.sa.3468INNSns1.cyberia.net.sa. Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
Ejazwrote: > > I am not using iptable firewall from my redhat Linux box, all traffic > manged by network team.. Well then, you should co-operate with them to fix the problem. You might find that it helps to put the following in the options{} section of named.conf, but I'm not sure if it will be effective against a TCP flood attack. blackhole { 212.107.121.110; }; Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Forties, Cromarty, Forth, Tyne, Dogger: West or southwest 4 or 5. Slight, occasionally moderate at first. Rain or showers. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
Ok that's fine. But what is the reason why it is sending such huge traffic towards particluare IPs, Ejaz -Original Message- From: Reindl Harald [mailto:h.rei...@thelounge.net] Sent: Tuesday, July 26, 2016 11:36 AM To: Ejaz <me...@cyberia.net.sa>; 'Abdul Khader' <akha...@ies.etisalat.ae>; bind-users@lists.isc.org Subject: Re: outgoing-traffic Am 26.07.2016 um 10:30 schrieb Ejaz: > I am not using iptable firewall from my redhat Linux box, all > traffic manged by network team.. what you currently do don't matter- you have a problem and got a solution (which should be used on any host besides response-rate-limiting independent if there is a firewall in fron - depth of defense) > *From:*bind-users [mailto:bind-users-boun...@lists.isc.org] *On Behalf > Of *Abdul Khader > *Sent:* Tuesday, July 26, 2016 11:21 AM > *To:* bind-users@lists.isc.org > *Subject:* Re: outgoing-traffic > > You can use iptables to rate-limit the IP. > > > On 7/26/2016 12:11 PM, Ejaz wrote: > > > > All. > > > > There is huge traffic coming out from my DNS server since yesterday > and flooding the IP 212.107.121.110, though I have increased the > limitation of tcp-clients in named.conf but still the issue. any > help would be highly appreciate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
I am not using iptable firewall from my redhat Linux box, all traffic manged by network team.. Ejaz From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Abdul Khader Sent: Tuesday, July 26, 2016 11:21 AM To: bind-users@lists.isc.org Subject: Re: outgoing-traffic You can use iptables to rate-limit the IP. On 7/26/2016 12:11 PM, Ejaz wrote: All. There is huge traffic coming out from my DNS server since yesterday and flooding the IP 212.107.121.110, though I have increased the limitation of tcp-clients in named.conf but still the issue. any help would be highly appreciate. My bind version is [root@ns10 ~]# named -v BIND 9.9.2-P1 When checking there are several entries as below. Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more TCP clients: quota reached quota reached Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4571: no more TCP clients: quota reached Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4572: no more TCP clients: quota reached Jul 26 10:53:19 ns10 named[3004]: client 212.107.121.110#4597: no more TCP clients: quota reached Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4633: no more TCP clients: quota reached Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4635: no more TCP clients: quota reached Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more TCP clients: quota reached Thanks, Mohammed Ejaz Asst. Operation Director of Systems. Cyberia SAUDI ARABIA P.O.Box: 301079, Riyadh 11372 Phone: (+966) 11 464 7114 Ext. 140 Mobile: (+966) 562311787 Fax: (+966) 11 465 4735 Website: http://www.cyberia.net.sa ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: outgoing-traffic
You can use iptables to rate-limit the IP. On 7/26/2016 12:11 PM, Ejaz wrote: All. There is huge traffic coming out from my DNS server since yesterday and flooding the IP 212.107.121.110, though I have increased the limitation of tcp-clients in named.conf but still the issue. any help would be highly appreciate. My bind version is [root@ns10 ~]# named -v BIND 9.9.2-P1 When checking there are several entries as below. Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more TCP clients: quota reached quota reached Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4571: no more TCP clients: quota reached Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4572: no more TCP clients: quota reached Jul 26 10:53:19 ns10 named[3004]: client 212.107.121.110#4597: no more TCP clients: quota reached Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4633: no more TCP clients: quota reached Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4635: no more TCP clients: quota reached Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more TCP clients: quota reached Thanks, Mohammed Ejaz Asst. Operation Director of Systems. Cyberia SAUDI ARABIA P.O.Box: 301079, Riyadh 11372 Phone: (+966) 11 464 7114 Ext. 140 Mobile: (+966) 562311787 Fax: (+966) 11 465 4735 Website: http://www.cyberia.net.sa ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users