Re: queries for "_.domain"
On 18.05.24 07:10, Mark Andrews wrote: Correct. Later versions use NS queries as that allows named to cache the non-existence of the NS RRset. I see this happened since 9.18.17 Luckily Debian 11/backports and Debian 12 have incorporated this version. Using _.domain doesn’t allow that to happen. Which I guess caused my problem. Looking at the docs, I can only turn it off in previous versions. (QNAME minimization was added in 9.13.2) NS queries do however expose broken delegations. Make sure you have working NS records at the zone apex and at the delegation point. This is especially important when the server serves multiple levels in the zone hierarchy as intermediate delegations are often not seen without QNAME minimisation but are with QNAME minimisation. Luckily this is resolving-only server. We have had bug reports due to all delegating NS records referring to non-existing servers. We have had bug reports due to garbage records at the zone apex. I encountered problems like this in the past. And then people wonder they DNS work properly. The "google (8.8.8.8) works" argument is problematic because google violates DNS in cases like this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: queries for "_.domain"
Correct. Later versions use NS queries as that allows named to cache the non-existence of the NS RRset. Using _.domain doesn’t allow that to happen. NS queries do however expose broken delegations. Make sure you have working NS records at the zone apex and at the delegation point. This is especially important when the server serves multiple levels in the zone hierarchy as intermediate delegations are often not seen without QNAME minimisation but are with QNAME minimisation. We have had bug reports due to all delegating NS records referring to non-existing servers. We have had bug reports due to garbage records at the zone apex. Mark -- Mark Andrews > On 17 May 2024, at 23:31, Stephane Bortzmeyer wrote: > > On Fri, May 17, 2024 at 03:25:01PM +0200, > Matus UHLAR - fantomas wrote > a message of 43 lines which said: > >> I have noticed that BIND sends strange (for me) queries. >> >>5 0.198221 192.168.0.1 → 193.108.88.128 DNS 105 Standard query 0x15a4 A >> _.net.akadns.net OPT > > QNAME minimisation (RFC 9156), probably? > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: queries for "_.domain"
On Fri, May 17, 2024 at 03:25:01PM +0200, Matus UHLAR - fantomas wrote a message of 43 lines which said: > I have noticed that BIND sends strange (for me) queries. > > 5 0.198221 192.168.0.1 → 193.108.88.128 DNS 105 Standard query 0x15a4 A > _.net.akadns.net OPT QNAME minimisation (RFC 9156), probably? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
queries for "_.domain"
Hello, I have noticed that BIND sends strange (for me) queries. 5 0.198221 192.168.0.1 → 193.108.88.128 DNS 105 Standard query 0x15a4 A _.net.akadns.net OPT 8 0.204738 193.108.88.128 → 192.168.0.1 DNS 159 Standard query response 0x15a4 No such name A _.net.akadns.net SOA internal.akadns.net OPT 9 0.205400 192.168.0.1 → 193.108.88.128 DNS 112 Standard query 0x3413 A _.office.net.akadns.net OPT 10 0.211944 193.108.88.128 → 192.168.0.1 DNS 166 Standard query response 0x3413 No such name A _.office.net.akadns.net SOA internal.akadns.net OPT 11 0.212646 192.168.0.1 → 193.108.88.128 DNS 128 Standard query 0x70df A _.omexexternallfb.office.net.akadns.net OPT 12 0.218782 193.108.88.128 → 192.168.0.1 DNS 182 Standard query response 0x70df No such name A _.omexexternallfb.office.net.akadns.net SOA internal.akadns.net OPT Is this a known feature I have missed? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On 15.04.13 16:13, Denis Laventure wrote: I'm having the same problem but for those domains... hao.360.cn. openboxcdn.mobilem.360.cn. xliar.com. www.so.com. www.baidu.com. www.360.cn down.360.cn www.hao123.com 15-Apr-2013 15:00:08.485 security: info: client 117.21.187.20#52538: view external: query (cache) 'hao.360.cn/A/IN' denied Aren't thosedomains pointing their NS onto your nameserver? What's your IP, if it's not secret? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On 15.04.13 10:02, Jose Manuel Delgado G. wrote: Subject: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an update to version 9.9.2-P2 as recommended but still continuous problems. 190.34.55.70 - 201.224.83.242 DNS C isc.org. Internet * ? 190.33.3.27 - 201.224.83.242 DNS C isc.org. Internet * ? 190.32.57.243 - 201.224.83.242 DNS C isc.org. Internet * ? 201.224.149.40 - 201.224.83.242 DNS C isc.org. Internet * ? 190.35.22.44 - 201.224.83.242 DNS C isc.org. Internet * ? 186.73.76.87 - 201.224.83.242 DNS C isc.org. Internet * ? 190.34.44.109 - 201.224.83.242 DNS C isc.org. Internet * ? 190.32.56.118 - 201.224.83.242 DNS C isc.org. Internet * ? 190.34.27.201 - 201.224.83.242 DNS C isc.org. Internet * ? 201.224.115.26 - 201.224.83.242 DNS C isc.org. Internet * ? 190.32.165.139 - 201.224.83.242 DNS C isc.org. Internet * ? 190.33.231.148 - 201.224.83.242 DNS C isc.org. Internet * ? 190.35.84.29 - 201.224.83.242 DNS C isc.org. Internet * ? % host 201.224.83.242 242.83.224.201.in-addr.arpa domain name pointer ns5.cwpanama.net. inetnum: 190.34/15 status: allocated aut-num: N/A owner: Cable Wireless Panama inetnum: 201.224/16 status: allocated aut-num: N/A owner: Cable Wireless Panama they apparently expect your nameserver to provide resursive DNS service for your company while it may not be intended for that use... some customers (well, not only customers...) do not understand the difference between authoritative and recursive DNS service and may try to use servers for purpose not intended. Some may also complain if the service does not work properly if you want to be really a bitch, you can set up recursive view with . domain providing * records. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
In article mailman.130.1366101804.20661.bind-us...@lists.isc.org, Matus UHLAR - fantomas uh...@fantomas.sk wrote: they apparently expect your nameserver to provide resursive DNS service for your company while it may not be intended for that use... some customers (well, not only customers...) do not understand the difference between authoritative and recursive DNS service and may try to use servers for purpose not intended. Some may also complain if the service does not work properly If they were using his server as a resolver, wouldn't he see queries for lots of random hostnames (including popular domains like www.google.com, www.yahoo.com, etc.), not just isc.org? -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On Tue, 2013-04-16 at 05:27 -0400, Barry Margolin wrote: In article mailman.130.1366101804.20661.bind-us...@lists.isc.org, Matus UHLAR - fantomas uh...@fantomas.sk wrote: they apparently expect your nameserver to provide resursive DNS service for your company while it may not be intended for that use... some customers (well, not only customers...) do not understand the difference between authoritative and recursive DNS service and may try to use servers for purpose not intended. Some may also complain if the service does not work properly If they were using his server as a resolver, wouldn't he see queries for lots of random hostnames (including popular domains like www.google.com, www.yahoo.com, etc.), not just isc.org? These seems like some attack going on, after reading the mails i also check my recursive server and found a lot of these in my logs: 16-Apr-2013 11:31:35.743 security: info: client 101.226.167.13#55818: query (cache) 'xliar.com/A/IN' denied 16-Apr-2013 11:31:35.776 security: info: client 101.226.167.13#53710: query (cache) 'www.baidu.com/A/IN' denied 16-Apr-2013 11:31:35.813 security: info: client 182.118.40.31#42505: query (cache) 'www.baidu.com/A/IN' denied 16-Apr-2013 11:31:36.187 security: info: client 220.181.156.90#59278: query (cache) 'hao.360.cn/A/IN' denied 16-Apr-2013 11:31:36.225 security: info: client 220.181.156.90#50194: query (cache) 'www.360.cn/A/IN' denied 16-Apr-2013 11:31:36.253 security: info: client 220.181.156.90#33551: query (cache) 'www.so.com/A/IN' denied 16-Apr-2013 11:31:36.574 security: info: client 182.118.40.31#36470: query (cache) 'xliar.com/A/IN' denied 16-Apr-2013 11:31:36.587 security: info: client 182.118.40.31#51191: query (cache) 'www.so.com/A/IN' denied 16-Apr-2013 11:31:36.691 security: info: client 117.21.187.20#47169: query (cache) 'hao.360.cn/A/IN' denied 16-Apr-2013 11:31:36.705 security: info: client 183.60.211.65#32809: query (cache) 'www.so.com/A/IN' denied 16-Apr-2013 11:31:36.722 security: info: client 117.21.187.20#54942: query (cache) 'www.so.com/A/IN' denied 16-Apr-2013 11:31:36.733 security: info: client 117.21.187.20#50493: query (cache) 'down.360.cn/A/IN' denied 16-Apr-2013 11:31:36.761 security: info: client 182.118.40.31#54391: query (cache) 'hao.360.cn/A/IN' denied 16-Apr-2013 11:31:36.762 security: info: client 120.128.6.42#56439: query (cache) 'down.360.cn/A/IN' denied 16-Apr-2013 11:31:36.798 security: info: client 120.128.6.42#52172: query (cache) 'www.360.cn/A/IN' denied my server is not an open recursive server its only open to my clients and these are not even from my country. Kebba ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On 16/04/13 12:41, Kebba Foon wrote: my server is not an open recursive server its only open to my clients and these are not even from my country. You're right, it's probably a spoofed-source DNS amplification attack. If your DNS server isn't open (good to hear) you could consider just ACLing it at your network border. Alternatively, you could consider the RRL patches to bind. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On Tue, 2013-04-16 at 13:00 +0100, Phil Mayers wrote: On 16/04/13 12:41, Kebba Foon wrote: my server is not an open recursive server its only open to my clients and these are not even from my country. You're right, it's probably a spoofed-source DNS amplification attack. If your DNS server isn't open (good to hear) you could consider just ACLing it at your network border. Alternatively, you could consider the RRL patches to bind. These looks definitely like an attack, its the same thing on both my recursive servers just check the other now and saw the same queries. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
These seems like some attack going on, after reading the mails i also check my recursive server and found a lot of these in my logs: my server is not an open recursive server its only open to my clients and these are not even from my country. Same here, my DNS are open to my clients only and are not open resolver. Good to see that I'm not the only one with that problem. Finally, I got this list of IPs blocked on my firewall and I don't have issue anymore for now : object-group network N_DENY_DNS_OUTSIDE network-object host 101.226.167.13 network-object host 109.0.64.16 network-object host 109.0.64.17 network-object host 109.0.65.16 network-object host 109.0.65.17 network-object host 111.1.44.35 network-object host 111.1.44.36 network-object host 111.1.44.37 network-object host 111.1.44.38 network-object host 112.195.31.70 network-object host 113.18.252.17 network-object host 113.187.17.178 network-object host 113.57.142.156 network-object host 117.21.187.19 network-object host 117.21.187.20 network-object host 117.21.187.21 network-object host 117.21.187.22 network-object host 120.128.3.249 network-object host 120.128.3.250 network-object host 120.128.3.251 network-object host 120.128.3.252 network-object host 120.128.6.42 network-object host 120.192.83.233 network-object host 122.143.14.49 network-object host 122.143.14.52 network-object host 122.48.244.142 network-object host 122.70.131.153 network-object host 122.70.131.154 network-object host 122.70.131.155 network-object host 122.70.131.156 network-object host 122.70.131.157 network-object host 122.70.131.158 network-object host 122.70.131.159 network-object host 122.70.131.160 network-object host 123.125.67.189 network-object host 124.205.11.218 network-object host 125.89.73.39 network-object host 125.89.73.40 network-object host 125.89.73.41 network-object host 125.89.73.42 network-object host 140.207.197.67 network-object host 14.18.17.29 network-object host 142.4.200.12 network-object host 142.4.200.13 network-object host 173.242.116.155 network-object host 174.93.193.124 network-object host 174.94.53.156 network-object host 175.25.243.15 network-object host 182.118.40.31 network-object host 183.60.211.65 network-object host 184.161.199.73 network-object host 190.120.202.203 network-object host 206.123.31.9 network-object host 217.156.250.10 network-object host 217.156.250.150 network-object host 217.156.250.152 network-object host 217.156.250.153 network-object host 217.156.250.154 network-object host 217.156.250.155 network-object host 217.156.250.157 network-object host 218.206.207.75 network-object host 220.181.126.4 network-object host 220.181.126.42 network-object host 220.181.156.90 network-object host 220.181.156.91 network-object host 221.130.199.65 network-object host 221.130.199.66 network-object host 221.130.199.67 network-object host 221.130.199.68 network-object host 221.204.197.13 network-object host 24.226.178.180 network-object host 31.222.72.4 network-object host 49.128.160.50 network-object host 63.251.28.10 network-object host 63.251.28.215 network-object host 70.49.212.28 network-object host 72.14.165.194 network-object host 74.131.77.13 network-object host 74.217.66.10 network-object host 74.217.66.11 network-object host 75.98.70.11 network-object host 75.98.70.210 network-object host 75.98.70.215 network-object host 75.98.70.216 network-object host 94.102.51.196 Denis my server is not an open recursive server its only open to my clients and these are not even from my country. Kebba ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On 16/04/13 14:04, Denis Laventure wrote: These seems like some attack going on, after reading the mails i also check my recursive server and found a lot of these in my logs: my server is not an open recursive server its only open to my clients and these are not even from my country. Same here, my DNS are open to my clients only and are not open resolver. Good to see that I'm not the only one with that problem. Finally, I got this list of IPs blocked on my firewall and I don't have issue anymore for now : Instead of blocking the source (which aren't even real - they're spoofed) why not just block access to your recursive resolver on port 53. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
Instead of blocking the source (which aren't even real - they're spoofed) why not just block access to your recursive resolver on port 53. I need my DNS server to resolve for my authoritative domain, I have 30+ domains here I can't block acces to port 53. Denis ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On 16/04/13 14:28, Denis Laventure wrote: Instead of blocking the source (which aren't even real - they're spoofed) why not just block access to your recursive resolver on port 53. I need my DNS server to resolve for my authoritative domain, I have 30+ domains here I can't block acces to port 53. (replying on-list for posterity) Ah, it's a shared auth/recursive. In which case that's probably the best you can do. Just be aware these IPs are probably spoofed - they are the victims - so you should have some process to expire them over time. FWIW this is one reason not to mix auth/recursive on the same server; it tempts you to use the same IP. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an update to
190.34.55.70 - 201.224.83.242 DNS C isc.org. Internet * ? 190.33.3.27 - 201.224.83.242 DNS C isc.org. Internet * ? 190.32.57.243 - 201.224.83.242 DNS C isc.org. Internet * ? 201.224.149.40 - 201.224.83.242 DNS C isc.org. Internet * ? 190.35.22.44 - 201.224.83.242 DNS C isc.org. Internet * ? 186.73.76.87 - 201.224.83.242 DNS C isc.org. Internet * ? 190.34.44.109 - 201.224.83.242 DNS C isc.org. Internet * ? 190.32.56.118 - 201.224.83.242 DNS C isc.org. Internet * ? 190.34.27.201 - 201.224.83.242 DNS C isc.org. Internet * ? 201.224.115.26 - 201.224.83.242 DNS C isc.org. Internet * ? 190.32.165.139 - 201.224.83.242 DNS C isc.org. Internet * ? 190.33.231.148 - 201.224.83.242 DNS C isc.org. Internet * ? 190.35.84.29 - 201.224.83.242 DNS C isc.org. Internet * ? Thanks a lot! JM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users