Re: [CentOS] probem with bind???
fabian dacunha wrote: Dear Robert, Really apprecite your quick reply and thanks for the same.. it worked beautifully.. the badguys acl now jus for my information if u can help me by the way i had send a mail to the owners of the ips and they replied to me saying that they had a DDOS attack on thier server n its been stop 5 days ago . now i wd like to know if it was really stopped wht were the messages stating A request to look up a ns record was my server querying their server or their server quering mine You got a udp packet from who knows where. since a rule in my firewall which blocked the below IP did not help Huh? Then maybe there is something wrong with the rule. I basically just drop such packets on the floor. apprecite ur kind help the messages in my logs are Feb 22 21:45:36 kmdns1 named[2087]: client 62.109.4.89#24308: query (cache) './NS/IN' denied Feb 22 21:45:37 kmdns1 named[2087]: client 62.109.4.89#31958: query (cache) './NS/IN' denied Feb 22 21:45:38 kmdns1 named[2087]: client 62.109.4.89#29069: query (cache) './NS/IN' denied Feb 22 21:45:38 kmdns1 named[2087]: client 62.109.4.89#35868: query (cache) './NS/IN' denied Feb 22 21:45:39 kmdns1 named[2087]: client 62.109.4.89#26792: query (cache) './NS/IN' denied but moment i made the changes as sugessted by u in my named.conf the messages stopped perfectly This just shows that your authoritative bind server was configured correctly. Congratulations! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] probem with bind???
Dear Robert,
Really apprecite your quick reply and thanks for the same..
it worked beautifully..
the badguys acl
now jus for my information if u can help me
by the way i had send a mail to the owners of the ips and they replied to
me saying that they had a DDOS attack on thier server n its been stop 5
days ago .
now i wd like to know if it was really stopped wht were the messages stating
was my server querying their server
or their server quering mine
since a rule in my firewall which blocked the below IP did not help
apprecite ur kind help
the messages in my logs are
Feb 22 21:45:36 kmdns1 named[2087]: client 62.109.4.89#24308: query
(cache) './NS/IN' denied
Feb 22 21:45:37 kmdns1 named[2087]: client 62.109.4.89#31958: query
(cache) './NS/IN' denied
Feb 22 21:45:38 kmdns1 named[2087]: client 62.109.4.89#29069: query
(cache) './NS/IN' denied
Feb 22 21:45:38 kmdns1 named[2087]: client 62.109.4.89#35868: query
(cache) './NS/IN' denied
Feb 22 21:45:39 kmdns1 named[2087]: client 62.109.4.89#26792: query
(cache) './NS/IN' denied
but moment i made the changes as sugessted by u in my named.conf the
messages stopped perfectly
Regards
Fabian
Feb 22 09:14:52 kmdns1 named[2087]: client 62.109.4.89#59870: query
(cache) './NS/IN' denied
now in my firewall i tryied to block this ip but the messages
dont stop
i also upgraded bind to version bind-9.3.4-6.0.3.P1.el5_2 but
no avail the problem still there
i jus like to know whts this problem and how could i solve it
is there a problem with my DNS server
thnks and regards
apprecite your kind help
fabian
fabian,
you might try something like the bad-guys acl i setup a long time ago in
named.conf
change the ips as you see fit
// Default named.conf generated by install of bind-9.2.4-2
//
// r.initials August 29 2005
//
acl bad-guys {
201.114.231.0/24;
201.114.236.0/24;
};
logging {
category lame-servers { null; };
};
options {
version Bind;
directory /var/named; // working directory
listen-on { 127.0.0.1; redactedx.y.z.a; };
listen-on-v6 { none; };
allow-transfer { redactedx.y.z.a; redactedx.y.z.b;};
blackhole { bad-guys; };
dump-file /var/named/data/cache_dump.db;
statistics-file /var/named/data/named_stats.txt;
// pid-file named.pid; // Put pid file in working
dir
allow-query { any; }; // This is the default
recursion yes; // Do provide recursive service or not???
};
include /etc/rndc.key;
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] probem with bind???
fabian dacunha fab...@baladia.gov.kw wrote: Dear All, I am sorry for posting this query here but hope someone can help me out i have been running Centos 5 as my prinamry DNS n Mail server with bind 9.2 every thing works fine but in my/var/messages log i see continuosly the below meesages Feb 22 09:14:46 kmdns1 named[2087]: client 62.109.4.89#17222: query (cache) './NS/IN' denied Feb 22 09:14:46 kmdns1 named[2087]: client 62.109.4.89#26398: query (cache) './NS/IN' denied Feb 22 09:14:51 kmdns1 named[2087]: client 62.109.4.89#65326: query (cache) './NS/IN' denied Feb 22 09:14:52 kmdns1 named[2087]: client 62.109.4.89#59870: query (cache) './NS/IN' denied now in my firewall i tryied to block this ip but the messages dont stop i also upgraded bind to version bind-9.3.4-6.0.3.P1.el5_2 but no avail the problem still there i jus like to know whts this problem and how could i solve it is there a problem with my DNS server thnks and regards apprecite your kind help fabian I run a very small, personal presence on the internet (only a single web site, e-mail, etc. plus DNS for my own stuff) so this might not work if you have lots of sites or there are legitimate reasons why the same source IP address would hit your DNS with multiple, valid queries in a very short period. Typically, once a source IP has queried a DNS, the result is cached for the time to live (TTL) of the resulting record and the query should not normally be repeated. Given this, I added the following rules to my firewall: ... # Block cache poisoning attacks # Drop repeated DNS requests -A RH-Firewall-1-INPUT -p udp -m udp -m recent -i eth0 --dport 53 --update \ --seconds 660 --hitcount 7 --name DNSTHROTTLE --rsource -j DROP -A RH-Firewall-1-INPUT -p udp -m udp -m recent -i eth0 --dport 53 -j ACCEPT \ --set --name DNSTHROTTLE --rsource ... Note that eth0 is my external NIC so these rules only fire for DNS requests that are not from my local network. I came up with seven queries in eleven minutes was a reasonable sign of a cache poisoning attack. Your mileage may very. These two rules replaced about 30 IPs in my blacklist and are completely automatic. The funny this that a lot of the brute force cache poisoning attempts just keep banging away so the source IP stays on the blacklist. Every once in a while I'll see a new IP address hit seven attempts and then the blacklist rule kicks in and they're never heard from again. Cheers, Dave -- Politics, n. Strife of interests masquerading as a contest of principles. -- Ambrose Bierce ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] probem with bind???
Dear All, I am sorry for posting this query here but hope someone can help me out i have been running Centos 5 as my prinamry DNS n Mail server with bind 9.2 every thing works fine but in my/var/messages log i see continuosly the below meesages Feb 22 09:14:46 kmdns1 named[2087]: client 62.109.4.89#17222: query (cache) './NS/IN' denied Feb 22 09:14:46 kmdns1 named[2087]: client 62.109.4.89#26398: query (cache) './NS/IN' denied Feb 22 09:14:51 kmdns1 named[2087]: client 62.109.4.89#65326: query (cache) './NS/IN' denied Feb 22 09:14:52 kmdns1 named[2087]: client 62.109.4.89#59870: query (cache) './NS/IN' denied now in my firewall i tryied to block this ip but the messages dont stop i also upgraded bind to version bind-9.3.4-6.0.3.P1.el5_2 but no avail the problem still there i jus like to know whts this problem and how could i solve it is there a problem with my DNS server thnks and regards apprecite your kind help fabian -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] probem with bind???
Feb 22 09:14:52 kmdns1 named[2087]: client 62.109.4.89#59870: query
(cache) './NS/IN' denied
now in my firewall i tryied to block this ip but the messages
dont stop
i also upgraded bind to version bind-9.3.4-6.0.3.P1.el5_2 but
no avail the problem still there
i jus like to know whts this problem and how could i solve it
is there a problem with my DNS server
thnks and regards
apprecite your kind help
fabian
fabian,
you might try something like the bad-guys acl i setup a long time ago in
named.conf
change the ips as you see fit
// Default named.conf generated by install of bind-9.2.4-2
//
// r.initials August 29 2005
//
acl bad-guys {
201.114.231.0/24;
201.114.236.0/24;
};
logging {
category lame-servers { null; };
};
options {
version Bind;
directory /var/named; // working directory
listen-on { 127.0.0.1; redactedx.y.z.a; };
listen-on-v6 { none; };
allow-transfer { redactedx.y.z.a; redactedx.y.z.b;};
blackhole { bad-guys; };
dump-file /var/named/data/cache_dump.db;
statistics-file /var/named/data/named_stats.txt;
// pid-file named.pid; // Put pid file in working
dir
allow-query { any; }; // This is the default
recursion yes; // Do provide recursive service or not???
};
include /etc/rndc.key;
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
