Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
In article mailman.245.1280910538.15649.bind-us...@lists.isc.org, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 03.08.10 18:01, Denis BUCHER wrote: I have a question, it's not really a big problem, but it's annoying. In the logs I get plenty of lines like : client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s) This seems to be due to a script-kiddie. I don't think so. It may be someone who used your server when connected to your network and didn't change resolvers list after, someone who mistyped IP address, or someone who guessed that your server might provide recursive DNS for him (because of any reason). Did you notice that the requests are in alphabetical order? That's a strong indication that this is some kind of scan going on. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Yes I have a wonderful script doing that for SSH but not for iptables. For Bind, I must say that this problem appears 2-3 times a month, I can therefore manage it manually for the moment... Denis Le 04.08.2010 14:36, Sten Carlsen a écrit : You may want to consider how to trigger removal of this blocking when the problem has gone away and the address is again used responsibly. Maybe add a log statement with a limitation of one per day and checking that this is no longer seen for some time? IPTABLES can do the logging. On 04/08/10 11:00, Denis BUCHER wrote: Le 03.08.2010 21:25, Kevin Darcy a écrit : I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does not look to be working. This was pefect : iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP I'm no iptables experts, but doesn't that only apply to TCP packets? Dear Kevin, Yes sorry, in fact I also should add a rule for UDP : iptables -I INPUT 3 -p udp -s 202.152.172.4 --dport 53 -j DROP Or : (all ports) iptables -I INPUT 3 -s 202.152.172.4 -j DROP Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
On 03.08.10 18:01, Denis BUCHER wrote: I have a question, it's not really a big problem, but it's annoying. In the logs I get plenty of lines like : client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s) This seems to be due to a script-kiddie. I don't think so. It may be someone who used your server when connected to your network and didn't change resolvers list after, someone who mistyped IP address, or someone who guessed that your server might provide recursive DNS for him (because of any reason). I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? hosts.allow is configuration of tcp wrappers library which is NOT used by bind nor by some other software. For abusers sending too many requests I have created special view containing only root zone with * pointing to localhost address. While this is quite BOFHish, it works. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They say when you play that M$ CD backward you can hear satanic messages. That's nothing. If you play it forward it will install Windows. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Le 03.08.2010 21:25, Kevin Darcy a écrit : I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does not look to be working. This was pefect : iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP I'm no iptables experts, but doesn't that only apply to TCP packets? Dear Kevin, Yes sorry, in fact I also should add a rule for UDP : iptables -I INPUT 3 -p udp -s 202.152.172.4 --dport 53 -j DROP Or : (all ports) iptables -I INPUT 3 -s 202.152.172.4 -j DROP Thanks a lot ! Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
You may want to consider how to trigger removal of this blocking when the problem has gone away and the address is again used responsibly. Maybe add a log statement with a limitation of one per day and checking that this is no longer seen for some time? IPTABLES can do the logging. On 04/08/10 11:00, Denis BUCHER wrote: Le 03.08.2010 21:25, Kevin Darcy a écrit : I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does not look to be working. This was pefect : iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP I'm no iptables experts, but doesn't that only apply to TCP packets? Dear Kevin, Yes sorry, in fact I also should add a rule for UDP : iptables -I INPUT 3 -p udp -s 202.152.172.4 --dport 53 -j DROP Or : (all ports) iptables -I INPUT 3 -s 202.152.172.4 -j DROP Thanks a lot ! Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Dear all, I have a question, it's not really a big problem, but it's annoying. In the logs I get plenty of lines like : client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s) This seems to be due to a script-kiddie. I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Currently it is working for sshd on this server to add lines in /etc/hosts.allow, but I would like to know if it would be possible for bind : sshd: 121.14.195.176: DENY # uname -a Linux (host) 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686 i386 GNU/Linux # cat /etc/redhat-release Fedora release 9 (Sulphur) Thanks a lot in advance for any help... And sorry if this is not 100% on topic, I know it's at the border between BIND and OS... Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Denis BUCHER wrote: Dear all, I have a question, it's not really a big problem, but it's annoying. In the logs I get plenty of lines like : client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s) This seems to be due to a script-kiddie. I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Currently it is working for sshd on this server to add lines in /etc/hosts.allow, but I would like to know if it would be possible for bind : sshd: 121.14.195.176: DENY # uname -a Linux (host) 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686 i386 GNU/Linux # cat /etc/redhat-release Fedora release 9 (Sulphur) Thanks a lot in advance for any help... And sorry if this is not 100% on topic, I know it's at the border between BIND and OS... Denis ___ Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
On Tue, 03 Aug 2010 18:01:27 +0200, Denis BUCHER dbuche...@hsolutions.ch wrote: Dear all, I have a question, it's not really a big problem, but it's annoying. In the logs I get plenty of lines like : client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s) This seems to be due to a script-kiddie. I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Currently it is working for sshd on this server to add lines in /etc/hosts.allow, but I would like to know if it would be possible for bind : sshd: 121.14.195.176: DENY # uname -a Linux (host) 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686 i386 GNU/Linux # cat /etc/redhat-release Fedora release 9 (Sulphur) Thanks a lot in advance for any help... And sorry if this is not 100% on topic, I know it's at the border between BIND and OS... On topic question. Don't worry. You could always use the blackhole directive in the BIND configuration to avoid responding to this address. This will prevent your server from responding to queries from this address. See the BIND ARM for more info about how to use this. The problem is that this solution would prevent a DNS server at this address from querying your server for legitimate purposes. (Quickly, this address doesn't appear to be running a DNS server at the moment.) Then again, if you are running a firewall on your server (or in front of it), you could always block traffic from this address as an alternative too. This way your DNS server would never even see these queries to have to block. But as a more complete solution, is this an authoritative server for some zone(s) that you are responsible for, or is this a recursive server for your customers? If it is an authoritative server, then you should have it configured to not answer recursive queries for everyone in the world. If it is a recursive server, then you should be limiting who can query it and not respond to non-authorized queries. You can use the BIND view to limit who is getting what from your server. Your logs indicate this this query was denied, so you may already have your server configured to not answer these queries from this address, so the last paragraph may not apply. But, it is worth looking at your configuration just to confirm your server is reasonably configured. Bill Larson ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Script-kiddie : client IP query (cache) 'host/MX/IN' denied
Dear all, I have a question, it's not really a big problem, but it's annoying. In the logs I get plenty of lines like : client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s) This seems to be due to a script-kiddie. I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Currently it is working for sshd on this server to add lines in /etc/hosts.allow, but I would like to know if it would be possible for bind : sshd: 121.14.195.176: DENY # uname -a Linux (host) 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686 i386 GNU/Linux # cat /etc/redhat-release Fedora release 9 (Sulphur) Thanks a lot in advance for any help... And sorry if this is not 100% on topic, I know it's at the border between BIND and OS... Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Dear Lyle, Le 03.08.2010 18:17, Lyle Giese a écrit : I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does not look to be working. This was pefect : iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP Thanks a lot for your help Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Le 03.08.2010 18:28, wllarso a écrit : This seems to be due to a script-kiddie. I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? And sorry if this is not 100% on topic, I know it's at the border between BIND and OS... On topic question. Don't worry. You could always use the blackhole directive in the BIND configuration to avoid responding to this address. Do you think it is better or equal to the firewall solution ? This will prevent your server from responding to queries from this address. See the BIND ARM for more info about how to use this. The problem is that this solution would prevent a DNS server at this address from querying your server for legitimate purposes. (Quickly, this address doesn't appear to be running a DNS server at the moment.) Yes ;-) Then again, if you are running a firewall on your server (or in front of it), you could always block traffic from this address as an alternative too. This way your DNS server would never even see these queries to have to block. Yes, that's what I did for the moment... But as a more complete solution, is this an authoritative server for some zone(s) that you are responsible for, or is this a recursive server for your customers? It is a authoritative server for some domains, yes... If it is an authoritative server, then you should have it configured to not answer recursive queries for everyone in the world. Yes that would be interesting, does it means that only authoritative zones would be allowed in queries ? In fact it seems it does not answer any query, as in the logs it says denied. Am I right on this point or not ? If it is a recursive server, then you should be limiting who can query it and not respond to non-authorized queries. You can use the BIND view to limit who is getting what from your server. Your logs indicate this this query was denied, so you may already have your server configured to not answer these queries from this address, so the last paragraph may not apply. Ok But, it is worth looking at your configuration just to confirm your server is reasonably configured. Ok I will check for that... Thanks a lot for your advices, it makes things a little clearer for me now :-) Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow BIND has a blackhole option that will essentially perform the same function...BIND will not even respond to IPs that are listed in the blackhole statement in named.conf. Check the BIND ARM for details on blackhole. Thanks... Justin Dixon ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Blackhole isn't better IMHO because I found in the past that they still try your server ad nauseum even though they're blocked - blocking at iptables is doing it at kernel level before BIND. However it does work and is certainly one way to do it especially on systems that don't have their own firewall. Also blackhole only affects DNS traffic - iptables will let you drop all packets from the source site if you want. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Denis BUCHER Sent: Tuesday, August 03, 2010 3:10 PM To: wllarso Cc: bind-us...@isc.org Subject: Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied Le 03.08.2010 18:28, wllarso a écrit : This seems to be due to a script-kiddie. I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? And sorry if this is not 100% on topic, I know it's at the border between BIND and OS... On topic question. Don't worry. You could always use the blackhole directive in the BIND configuration to avoid responding to this address. Do you think it is better or equal to the firewall solution ? This will prevent your server from responding to queries from this address. See the BIND ARM for more info about how to use this. The problem is that this solution would prevent a DNS server at this address from querying your server for legitimate purposes. (Quickly, this address doesn't appear to be running a DNS server at the moment.) Yes ;-) Then again, if you are running a firewall on your server (or in front of it), you could always block traffic from this address as an alternative too. This way your DNS server would never even see these queries to have to block. Yes, that's what I did for the moment... But as a more complete solution, is this an authoritative server for some zone(s) that you are responsible for, or is this a recursive server for your customers? It is a authoritative server for some domains, yes... If it is an authoritative server, then you should have it configured to not answer recursive queries for everyone in the world. Yes that would be interesting, does it means that only authoritative zones would be allowed in queries ? In fact it seems it does not answer any query, as in the logs it says denied. Am I right on this point or not ? If it is a recursive server, then you should be limiting who can query it and not respond to non-authorized queries. You can use the BIND view to limit who is getting what from your server. Your logs indicate this this query was denied, so you may already have your server configured to not answer these queries from this address, so the last paragraph may not apply. Ok But, it is worth looking at your configuration just to confirm your server is reasonably configured. Ok I will check for that... Thanks a lot for your advices, it makes things a little clearer for me now :-) Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
On 8/3/2010 3:03 PM, Denis BUCHER wrote: Dear Lyle, Le 03.08.2010 18:17, Lyle Giese a écrit : I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does not look to be working. This was pefect : iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP I'm no iptables experts, but doesn't that only apply to TCP packets? - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Yes - I had already written him off list in reply to an email he sent me and pointed it out. It also only blocks port 53 so if he had other ports open the script kiddie would still be able to see those other ports. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Kevin Darcy Sent: Tuesday, August 03, 2010 3:26 PM To: bind-users@lists.isc.org Subject: Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied On 8/3/2010 3:03 PM, Denis BUCHER wrote: Dear Lyle, Le 03.08.2010 18:17, Lyle Giese a écrit : I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does not look to be working. This was pefect : iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP I'm no iptables experts, but doesn't that only apply to TCP packets? - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Kevin Darcy wrote: On 8/3/2010 3:03 PM, Denis BUCHER wrote: Dear Lyle, Le 03.08.2010 18:17, Lyle Giese a écrit : I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does not look to be working. This was pefect : iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP I'm no iptables experts, but doesn't that only apply to TCP packets? - Kevin Good catch, Kevin! You are right, he should add two rules, one for tcp and one for udp. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
2 rules aren't needed if you don't specify protocol and port in the first one. It simply drops ALL traffic from that IP. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Lyle Giese Sent: Tuesday, August 03, 2010 4:18 PM To: bind-users@lists.isc.org Subject: Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied Kevin Darcy wrote: On 8/3/2010 3:03 PM, Denis BUCHER wrote: Dear Lyle, Le 03.08.2010 18:17, Lyle Giese a écrit : I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does not look to be working. This was pefect : iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP I'm no iptables experts, but doesn't that only apply to TCP packets? - Kevin Good catch, Kevin! You are right, he should add two rules, one for tcp and one for udp. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users