Re: Three NameServer DOSing my dns1
Hello Dave Sparro, Am 2010-07-28 10:11:52, hacktest Du folgendes herunter: That host name does show up in your e-mail headers. That may be why there are some people curious about that host name. On 28.07.10 23:24, Michelle Konzack wrote: But why do they query my server 3 times per second? deep parsing of e-mail headers by spam filtering software, I guess. Apparently because of your fake ssmtp header. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Three NameServer DOSing my dns1
Hello Matus UHLAR - fantomas, Am 2010-07-29 14:12:54, hacktest Du folgendes herunter: On 28.07.10 23:24, Michelle Konzack wrote: But why do they query my server 3 times per second? deep parsing of e-mail headers by spam filtering software, I guess. Which is the last crap! Spamassassin does this too and I had to whitelist more then 2000 E-Mails do to the high amount of false-positives. Apparently because of your fake ssmtp header. Which fake ssmtp header? How do you thinkI can send mails? My workstation has ssmtp for securtity reason installed like all of my machines which do not receive any mails but have only to send out messages like logs or alarms... courier is my official Relay which is used by more then 8000 users. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Three NameServer DOSing my dns1
Am 2010-07-29 14:12:54, hacktest Du folgendes herunter: On 28.07.10 23:24, Michelle Konzack wrote: But why do they query my server 3 times per second? Hello Matus UHLAR - fantomas, deep parsing of e-mail headers by spam filtering software, I guess. On 29.07.10 19:16, Michelle Konzack wrote: Which is the last crap! Spamassassin does this too and I had to whitelist more then 2000 E-Mails do to the high amount of false-positives. apparently internal_networks set up incorrectly? Apparently because of your fake ssmtp header. Which fake ssmtp header? I see the name michelle1.private.tamay-dogan.net in two headers: Received: from michelle1.private.tamay-dogan.net (router.private.tamay-dogan.net [:::192.168.0.65]) (AUTH: LOGIN michelle.konzack) by mail.tamay-dogan.net with esmtp; Thu, 29 Jul 2010 19:16:29 +0200 id 0002C6F8.4C51B76D.55D9 Received: by michelle1.private.tamay-dogan.net (sSMTP sendmail emulation); Thu, 29 Jul 2010 19:16:28 +0200 since the former contains IP address, I guess it's the latter that causes some kind of spam filters try to resolve the IP. Note that I'm just guessing and it's apparently not spamassassin. However there are many spam filters deeply parsing headers and some qute incorrectly. I think you are on spamassassin-users mailing list and you could remember that problems with deeply parsed headers on some mailservers are mentioned there quite often. How do you thinkI can send mails? My workstation has ssmtp for securtity reason installed like all of my machines which do not receive any mails but have only to send out messages like logs or alarms... I'm not objecting against ssmtp, I know what's that (and I use it in some situations although I prefer msmtp ) but it's possible that the inserted header causes some filters try to resolve your hostname. You can try using msmtp or similar smtp client to see if it helps. courier is my official Relay which is used by more then 8000 users. I know because I've seen your posts on courier-users mailing list too. Actually I even know you are debian user, guess why :-) HOWEVER! To return to this ML's topic: Your hostname is private and inaccessible from the outside. The requesters get SERVFAIL reply which apparently makes them retry. If you provided them any IP address (e.g. 127.0.0.1) they could be satisfied and stop trying (until the cached record expires). You can try this if it makes you angry. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. LSD will make your ECS screen display 16.7 million colors ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Three NameServer DOSing my dns1
Hello Matus UHLAR - fantomas, Am 2010-07-29 19:37:50, hacktest Du folgendes herunter: apparently internal_networks set up incorrectly? No it is the problem if a customer connect trough a VPN to the Router of the employer/enterprise and send out messages using the the companys own mail relay and fro there it comes to me to the rest of the world Note: My customers are in my network through FTTH. I see the name michelle1.private.tamay-dogan.net in two headers: Received: from michelle1.private.tamay-dogan.net (router.private.tamay-dogan.net [:::192.168.0.65]) (AUTH: LOGIN michelle.konzack) by mail.tamay-dogan.net with esmtp; Thu, 29 Jul 2010 19:16:29 +0200 id 0002C6F8.4C51B76D.55D9 Received: by michelle1.private.tamay-dogan.net (sSMTP sendmail emulation); Thu, 29 Jul 2010 19:16:28 +0200 This is because 192.168.0.65 is the gateway of my private /26 network which is NATed and is conected directly on my router. Note that I'm just guessing and it's apparently not spamassassin. However there are many spam filters deeply parsing headers and some qute incorrectly. I think you are on spamassassin-users mailing list and you could remember that problems with deeply parsed headers on some mailservers are mentioned there quite often. I know the threads... header causes some filters try to resolve your hostname. You can try using msmtp or similar smtp client to see if it helps. Already tried. It is always the same and RFC conform. :-D I know because I've seen your posts on courier-users mailing list too. Actually I even know you are debian user, guess why :-) hehehe Your hostname is private and inaccessible from the outside. The requesters get SERVFAIL reply which apparently makes them retry. If you provided them any IP address (e.g. 127.0.0.1) they could be satisfied and stop trying (until the cached record expires). You can try this if it makes you angry. I have removed the REJECT and immediatly gotten over 7000 MAILER-DAEMON errors from arround the world and this idiots are attaching WHOLE messages including attackments to it. 99% are MAILER-DAEMON messages du to faked From: using linux4michelle. Also the tries from dtag.de, t-dialin.net and arcor-ip.de are mostly MAILERDAEMON spam. Tomorrow I will call the Deutsche Telecom directly in Ofenburg/Germany since I am angy and I like to bother them. They should be a little bit busy like me. :-D Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Three NameServer DOSing my dns1
On 7/29/2010 2:11 PM, Michelle Konzack wrote: Hello Matus UHLAR - fantomas, Your hostname is private and inaccessible from the outside. The requesters get SERVFAIL reply which apparently makes them retry. If you provided them any IP address (e.g. 127.0.0.1) they could be satisfied and stop trying (until the cached record expires). You can try this if it makes you angry. I have removed the REJECT and immediatly gotten over 7000 MAILER-DAEMON errors from arround the world and this idiots are attaching WHOLE messages including attackments to it. 99% are MAILER-DAEMON messages du to faked From: usinglinux4michelle. Also the tries fromdtag.de,t-dialin.net andarcor-ip.de are mostly MAILERDAEMON spam. If there are spammers sending mail claiming to be from: linux4miche...@michelle1.private.tamay-dogan.net that would be another reason you would be seeing the queries. (Although I'd expect them to come from a lot more DNS servers; maybe it is targeted spam). Anyway, nothing says that you *have* to give an answer that actually leads back to your mail server for that hostname. -- Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Three NameServer DOSing my dns1
Hello Experts, my primary NameServer dns1.tamay-dogan.net is hit by more then 600.000 requests per day coming mainly from three NameServers: [ '/var/log/named.log' ] Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.318 security: info: client 194.25.2.173#34455: query 'michelle1.private.tamay-dogan.net/A/IN' denied Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.568 security: info: client 145.253.2.7#39557: query 'michelle1.private.tamay-dogan.net/A/IN' denied Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.747 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/A/IN' denied Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.033 security: info: client 145.253.2.7#42608: query 'michelle1.private.tamay-dogan.net/A/IN' denied Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.229 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/A/IN' denied Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.341 security: info: client 194.25.2.173#51045: query 'michelle1.private.tamay-dogan.net/MX/IN' denied Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.596 security: info: client 145.253.2.7#38208: query 'michelle1.private.tamay-dogan.net/MX/IN' denied Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.792 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/MX/IN' denied Jul 28 11:18:19 samba3 named[26425]: 28-Jul-2010 11:18:19.081 security: info: client 145.253.2.7#52958: query 'michelle1.private.tamay-dogan.net/MX/IN' denied Jul 28 11:18:19 samba3 named[26425]: 28-Jul-2010 11:18:19.284 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/MX/IN' denied [ STDIN ]--- [michelle.konz...@michelle1:~] host 194.25.2.173 173.2.25.194.in-addr.arpa domain name pointer dns42.btx.dtag.de. [michelle.konz...@michelle1:~] host 145.253.2.7 Host 7.2.253.145.in-addr.arpa. not found: 3(NXDOMAIN) [michelle.konz...@michelle1:~] host 79.242.61.7 7.61.242.79.in-addr.arpa domain name pointer p4FF23D07.dip.t-dialin.net. [michelle.konz...@michelle1:~] dig -x 145.253.2.7 ; DiG 9.5.1-P3 -x 145.253.2.7 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 36189 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;7.2.253.145.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 253.145.in-addr.arpa. 6161IN SOA ns1.arcor-ip.de. hostmaster.adm.arcor.net. 2010072800 28800 14400 1814400 7200 ;; Query time: 1 msec ;; SERVER: 192.168.0.74#53(192.168.0.74) ;; WHEN: Wed Jul 28 11:38:01 2010 ;; MSG SIZE rcvd: 117 the NX one is from Arcor. Since the Deutsche Telecom is NOT responsive to ANY of my requests and you can not even reach them by Telephone, I need to do something because this 32 MByte traffic per day is absolutely useless. Any suggestions? yandex.ru has respond for an half hour to my reqests after 3 weeks or such and told me they are querying my DNS because there is a link in my website... but I have found nothing. However, they want to connect to my ancien Laptop tp570 and my Work- station michelle1 from which I write this message... Both machines are in my Intranet and will never allow access from the world. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Three NameServer DOSing my dns1
On 7/28/2010 5:53 AM, Michelle Konzack wrote: Hello Experts, my primary NameServerdns1.tamay-dogan.net is hit by more then 600.000 requests per day coming mainly from three NameServers: [ '/var/log/named.log' ] Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.318 security: info: client 194.25.2.173#34455: query 'michelle1.private.tamay-dogan.net/A/IN' denied Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.568 security: info: client 145.253.2.7#39557: query 'michelle1.private.tamay-dogan.net/A/IN' denied Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.747 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/A/IN' denied Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.033 security: info: client 145.253.2.7#42608: query 'michelle1.private.tamay-dogan.net/A/IN' denied Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.229 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/A/IN' denied Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.341 security: info: client 194.25.2.173#51045: query 'michelle1.private.tamay-dogan.net/MX/IN' denied Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.596 security: info: client 145.253.2.7#38208: query 'michelle1.private.tamay-dogan.net/MX/IN' denied Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.792 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/MX/IN' denied Jul 28 11:18:19 samba3 named[26425]: 28-Jul-2010 11:18:19.081 security: info: client 145.253.2.7#52958: query 'michelle1.private.tamay-dogan.net/MX/IN' denied Jul 28 11:18:19 samba3 named[26425]: 28-Jul-2010 11:18:19.284 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/MX/IN' denied That host name does show up in your e-mail headers. That may be why there are some people curious about that host name. If the repeat traffic really bothers you, I'd bet that you could get them to go away by giving a better answer than REFUSED to their query. If you want to keep your private.tamay-dogan.net zone private, you could use views to keep the zone from existing for the Internet side of your connection. I'd even be tempted to ditch the allow-query ACL so that they could get the michelle1.private.tamay-dogan.net/A/IN == 192.168.0.65 answer (at least temporarily). I'd be even more tempted to ignore the noise in your log file. BIND is just letting you know it is doing exactly what you configured it to do. -- Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Three NameServer DOSing my dns1
Hello Dave Sparro, Am 2010-07-28 10:11:52, hacktest Du folgendes herunter: That host name does show up in your e-mail headers. That may be why there are some people curious about that host name. But why do they query my server 3 times per second? Currently I have more then 600.000 DNS requests per day... but only dtag.de, t-dialin.net and arcor-ip.net are querying my michelle1 excessiv. Other NS (arround 90) are less then 20%. The question is, why do they query an @home FQDN, if I have a public SMTP relay? For me it is an error in there configuration, because the MTA should only test the MTA, which connect to it and this is definitively mail.tamay-dogan.net. The other thig is that in the last 4-6 days I have not written very much E-Mail (maybe 50-70) which let mit puzzeling arround, WHY I am bombed with several million queries. Today I have send only 12 messages and I have attached the unified log from today for servers querying michelle1. While Google is has stoped querying my server endless, since today it is ns1.Level3.net. Do you not wonder? Also I have for some minutes encountered, that I had several 10.000 break-in attempts (apache, ssh and courier) from DOT CN today. I realy should nuke them. If the repeat traffic really bothers you, I'd bet that you could get them to go away by giving a better answer than REFUSED to their query. If you want to keep your private.tamay-dogan.net zone private, you could use views to keep the zone from existing for the Internet side of your connection. OK I have to read into views because I do ot know how this stuff works I'd even be tempted to ditch the allow-query ACL so that they could get the michelle1.private.tamay-dogan.net/A/IN == 192.168.0.65 answer (at least temporarily). I'd be even more tempted to ignore the noise in your log file. BIND is just letting you know it is doing exactly what you configured it to do. Hmmm, it is not realy funny to have per day a 100 MByte logfile. Thanks, Greetings and nice Day/Evening Michelle Konzack [ command 'tdnamed --get-ns' ]-- 119.147.9.49: dns.guangzhou.gd.cn 120.29.157.9: ns2.hyper.net.id 120.29.158.9: ns2.hyper.net.id 128.151.219.8 : galileo.cc.rochester.edu 128.151.224.6 : galileo.cc.rochester.edu 128.86.8.10 : ns0.ja.net 128.86.8.25 : ns0.ja.net 130.129.33.240 : ns1.meeting.ietf.org 145.253.2.7 : ns1.arcor-ip.de 192.221.166.105 : ns1.Level3.net 192.221.166.107 : ns1.Level3.net 192.221.166.113 : ns1.Level3.net 192.221.166.123 : ns1.Level3.net 192.221.166.124 : ns1.Level3.net 192.221.166.126 : ns1.Level3.net 192.221.166.137 : ns1.Level3.net 192.221.166.140 : ns1.Level3.net 192.221.166.148 : ns1.Level3.net 192.221.166.152 : ns1.Level3.net 192.221.166.156 : ns1.Level3.net 192.221.166.167 : ns1.Level3.net 192.221.166.168 : ns1.Level3.net 192.221.166.171 : ns1.Level3.net 192.221.166.177 : ns1.Level3.net 192.221.166.179 : ns1.Level3.net 192.221.166.184 : ns1.Level3.net 192.221.166.209 : ns1.Level3.net 192.221.166.222 : ns1.Level3.net 192.221.166.243 : ns1.Level3.net 192.221.166.3 : ns1.Level3.net 192.221.166.51 : ns1.Level3.net 192.221.166.53 : ns1.Level3.net 192.221.166.61 : ns1.Level3.net 192.221.166.80 : ns1.Level3.net 192.221.166.81 : ns1.Level3.net 192.221.166.94 : ns1.Level3.net 192.221.166.96 : ns1.Level3.net 192.221.167.103 : ns1.Level3.net 192.221.167.138 : ns1.Level3.net 192.221.167.144 : ns1.Level3.net 192.221.167.146 : ns1.Level3.net 192.221.167.147 : ns1.Level3.net 192.221.167.148 : ns1.Level3.net 192.221.167.152 : ns1.Level3.net 192.221.167.157 : ns1.Level3.net 192.221.167.164 : ns1.Level3.net 192.221.167.174 : ns1.Level3.net 192.221.167.180 : ns1.Level3.net 192.221.167.183 : ns1.Level3.net 192.221.167.189 : ns1.Level3.net 192.221.167.2 : ns1.Level3.net 192.221.167.20 : ns1.Level3.net 192.221.167.217 : ns1.Level3.net 192.221.167.219 : ns1.Level3.net 192.221.167.221 : ns1.Level3.net 192.221.167.241 : ns1.Level3.net 192.221.167.249 : ns1.Level3.net 192.221.167.33 : ns1.Level3.net 192.221.167.35 : ns1.Level3.net 192.221.167.38 : ns1.Level3.net 192.221.167.41 : ns1.Level3.net 192.221.167.47 : ns1.Level3.net 192.221.167.52 : ns1.Level3.net 192.221.167.68 : ns1.Level3.net 192.221.167.78 : ns1.Level3.net 192.221.167.85 : ns1.Level3.net 192.221.167.88 : ns1.Level3.net 192.221.190.103 : ns1.Level3.net 192.221.190.106 : ns1.Level3.net 192.221.190.109 : ns1.Level3.net 192.221.190.114 : ns1.Level3.net 192.221.190.127 : ns1.Level3.net 192.221.190.133 : ns1.Level3.net 192.221.190.139 : ns1.Level3.net 192.221.190.145 : ns1.Level3.net 192.221.190.147 : ns1.Level3.net 192.221.190.148 : ns1.Level3.net 192.221.190.161 : ns1.Level3.net 192.221.190.164 : ns1.Level3.net 192.221.190.166 : ns1.Level3.net 192.221.190.174 : ns1.Level3.net 192.221.190.178 : ns1.Level3.net 192.221.190.181 :
