RE: DNS hits

2017-02-13 Thread Bonno Bloksma 
Hi Glenn,

>> Actually the current Bind in stable is just a blessing in this respect.
>> It - by default- just allows recursion for localnet, localhost.
>
> This server is still Wheezy. The virtual websites didn't work on Jessie 
> Apache (I have no idea why yet).
> 
>> So if you don't mess with it at all is does the right thing automagically.
> 
>> Most likely if you remove anything you tried to configure in the options it
>> will work just the way you want.
>
> I'd already done what Eduardo suggested in his post (config BIND to allow 
> recursion from only a specified list of IPs), and all was well -- as soon as 
> I tested it properly.
>
> FWIW, I ran dnstop for a while. I saw quite a bit of my own server at first, 
> but over few minutes, its output turned into a list of hits on my domains.
> Almost all from the 52, 54 area (AWS). I don't know, but I assume dnstop is 
> looking at packets before iptables processes them. If not, something is still 
> badly broken.

If you configure BIND to just respond to local requests then dnstop might still 
see the requests coming from other ip numbers, BIND just might not respond to a 
recurvice query.
AFAIK iptables has nothing to do with this. You cannot block dns requests at 
the iptables level as it cannot distinguish between a request for your own 
domain, to which BIND should respond, and a recursive request for another 
domain, which BIND should ignore.

Bonno Bloksma

Re: DNS hits

2017-02-12 Thread Glenn English 
 > On Sat, Feb 11, 2017 at 2:07 PM, Henning Follmann <
hfollm...@itcfollmann.com
> wrote

Actually the current Bind in stable is just a blessing in this respect.
> It -by default- just allows recursion for localnet, localhost.
>

This server is still Wheezy. The virtual websites didn't work on Jessie
Apache (I have no idea why yet).


> So if you don't mess with it at all is does the right thing automagically.
>
> Most likely if you remove anything you tried to configure in the options it
> will work just the way you want.
>

I'd already done what Eduardo suggested in his post (config BIND to allow
recursion from only a specified list of IPs), and all was well -- as soon
as I tested it properly.


FWIW, I ran dnstop for a while. I saw quite a bit of my own server at
first, but over few minutes, its output turned into a list of hits on my
domains. Almost all from the 52, 54 area (AWS). I don't know, but I assume
dnstop is looking at packets before iptables processes them. If not,
something is still badly broken.

Also FWIW, At github there's a very nice shell script that downloads, from
Amazon, a list of the nets in AWS, creates iptables DROP commands for them,
and enters the commands into your iptables filter. Takes a little futzing
to make it run on Wheezy, but it runs out of the box on Jessie:

https://github.com/corbanworks/aws-blocker/blob/master/aws-blocker


The router seems reasonably quiet right now. Maybe the script kiddies are
all at church, praying for their souls...

-- 
Glenn English

Re: DNS hits

2017-02-12 Thread Henning Follmann 
On Sat, Feb 11, 2017 at 04:11:13PM -0700, Glenn English wrote:
> On Sat, Feb 11, 2017 at 2:07 PM, Henning Follmann  > wrote:
> 
> > On Sat, Feb 11, 2017 at 10:58:54AM -0700, Glenn English wrote:
> >
>
[...]
 
> Does your DNS answer recursive queries?
> >
> 
> Oh, my lord. I didn't think it did -- I tried to configure BIND to do
> recursion only from my net. I just tried it from an external IP, and sure
> enough, it gave me an address for www.abc.com. But I just saw another
> config option that turns recursion off completely.
> ...
> I turned it off, and as expected, there's no recursion -- from my net or
> anywhere else. Bears a little more looking into. Surely there's a way to
> get BIND to do this little trick. Hopefully without going to that
> public/private mess. BIND is a mixed blessing.
> 

Actually the current Bind in stable is just a blessing in this respect.
It -by default- just allows recursion for localnet, localhost.

So if you don't mess with it at all is does the right thing automagically.

Most likely if you remove anything you tried to configure in the options it
will work just the way you want.

[...]

-H

-- 
Henning Follmann   | hfollm...@itcfollmann.com

Re: DNS hits

2017-02-12 Thread Eduardo M KALINOWSKI 
On 11-02-2017 21:11, Glenn English wrote:
>
> On Sat, Feb 11, 2017 at 2:07 PM, Henning Follmann
> > wrote:
>
> Does your DNS answer recursive queries?
>
>
> Oh, my lord. I didn't think it did -- I tried to configure BIND to do
> recursion only from my net. I just tried it from an external IP, and
> sure enough, it gave me an address for www.abc.com
> . But I just saw another config option that turns
> recursion off completely.
> ...
> I turned it off, and as expected, there's no recursion -- from my net
> or anywhere else. Bears a little more looking into. Surely there's a
> way to get BIND to do this little trick. Hopefully without going to
> that public/private mess. BIND is a mixed blessing.

Naturally there is: in the options section (on Debian, in file
named.conf.options) put
allow-recursion {
  
};



-- 

Meu estilo é incentivar a controvérsia e estimular as pessoas a dizer o que 
pensam

--James Burke

Eduardo M KALINOWSKI
edua...@kalinowski.com.br

Re: DNS hits

2017-02-11 Thread Glenn English 
Sorry, Andy. Here's another try, but to the list...


On Sat, Feb 11, 2017 at 8:40 PM, Glenn English  wrote:

>
>
> On Sat, Feb 11, 2017 at 6:33 PM, Andy Smith  wrote:
>
> If your nameserver offered recursion then it was most likely scanned
>> and added to a list of such servers, and is now being used to take
>> part in distributed denial of service attacks.
>>
>
> I think I was wrong earlier. I did try from an external IP, but I used the
> wrong one.
>
> I tested again from a known alien IP, and I checked with a
> RecursiveNameserverTest on the 'Net. Both tests said I wasn't recursive.
> BIND's config is apparently doing what it said it was doing.
>
>
>> If the really large amount of traffic that is appearing to come
>> from relatively few sources at any given time,
>
>
> No. It's not a small number of sources. There are 650 or so /15s and /16s
> at AWS, all of which are blocked, and several thousand around the world.
> (most in the US, though) A lot of those look like single hosts with just a
> few hits, so I tend to leave them alone, but others are several hosts on
> the same network. Those make it to the packet filter. I don't like Facebook
> and Microsofy anyway :-)
>
> But they just keep coming. And 'most anybody has a bigger pipe than I do.
> I think I may just be experiencing my first DDoS attack. Getting through
> the Cisco router configuration language was a lot easier and a lot more
> fun.
>
> As best I can tell from the replies I've received today, I've done things
> about as right as can be done in my situation. Just wait until they get
> tired of whacking an old T1, I guess...
>
> Thanks much, all.
>
> --
> Glenn English
>
>

Re: DNS hits

2017-02-11 Thread Andy Smith 
Hi Glenn,

On Sat, Feb 11, 2017 at 04:11:13PM -0700, Glenn English wrote:
> Does your DNS answer recursive queries?
> >
> 
> Oh, my lord. I didn't think it did -- I tried to configure BIND to do
> recursion only from my net. I just tried it from an external IP, and sure
> enough, it gave me an address for www.abc.com. But I just saw another
> config option that turns recursion off completely.

If your nameserver offered recursion then it was most likely scanned
and added to a list of such servers, and is now being used to take
part in distributed denial of service attacks.

If the really large amount of traffic that is appearing to come
from relatively few sources at any given time, then you may
actually be taking part in attack on those apparent sources. The
attackers forge a victim's source address and make a DNS query to an
open resolver for a large record, then the resolver sends that
answer back to the forged source. This inflicts a large amount of
traffic on a third party, as there will be potentially many
thousands of open resolvers doing this all at once.

If on the other hand the really large amount of traffic is coming
from hundreds or thousands of different hosts at once then it is
more likely that you are the victim and they are the open resolvers.

If you're facilitating the DDoS then closing your open resolver
should fix it though not immediately, as they won't know that it
stopped working for a while.

Some more information about the denial of service attacks which use
open recursive nameservers:

http://www.securiteam.com/securityreviews/5GP0L00I0W.html

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: DNS hits

2017-02-11 Thread Igor Cicimov 
On 12 Feb 2017 4:59 am, "Glenn English"  wrote:

Is anyone else getting thousands of hits on DNS?

I am, largely from Amazon's AWS. I've emailed Amazon's abuse (from whois),
Amazon's customer support, and added all the IP nets to my packet filter.

But AWS isn't the whole problem -- just the worst offender. And my little
T1 has been, sometimes, DoS'ed by the hits. They are coming from IPs all
over the world, from different sources every day, so I can't ask my ISP to
block them in their big pipe.

Does anybody have any idea how to stop them?

-- 
Glenn English



Your best option is to configure the server as authoritative only and allow
recursion from your private network only (if you haven't done so already)

Re: DNS hits

2017-02-11 Thread Glenn English 
On Sat, Feb 11, 2017 at 2:07 PM, Henning Follmann <hfollm...@itcfollmann.com
> wrote:

> On Sat, Feb 11, 2017 at 10:58:54AM -0700, Glenn English wrote:
>
> Nothing about Debian.
>

No, but I've been a Debian user for several years, and the place I know to
ask to get to competent advice and such, is this list. And the server in
question is running Debian, FWIW.


> > Is anyone else getting thousands of hits on DNS?
>
> Hits how?.
>

There's a rate limiter on DNS in my iptables packet filter. The hits I'm
talking about show up in logwatch as log entries from my packet filter --
all of which have exceeded the rate limit. Often vastly.


> Do you run a DNS server with openly available zones?
>

Not sure what an 'open zone' is.


> Not enough information.
> Install dnstop and check what these requests are.
> And then there are so many questions.
>

Very sorry about that, and in retrospect I see what you mean.

But in another post, Henning Follmann suggested what I think will solve my
problem: move my DNS server to my ISP.

Does your DNS answer recursive queries?
>

Oh, my lord. I didn't think it did -- I tried to configure BIND to do
recursion only from my net. I just tried it from an external IP, and sure
enough, it gave me an address for www.abc.com. But I just saw another
config option that turns recursion off completely.
...
I turned it off, and as expected, there's no recursion -- from my net or
anywhere else. Bears a little more looking into. Surely there's a way to
get BIND to do this little trick. Hopefully without going to that
public/private mess. BIND is a mixed blessing.


> How big are your zones?


40 or so lines in the zone files. Not very big.


> Do you have zones?
>

Sure. I own 3 domains and do a few virtuals.


> Do you allow zone transfers?
>

That I'm pretty sure I don't.  (I saw 'pretty sure' because I was positive
I had recursion turned off for aliens.)


> Do you have multiple DNS servers running? Is your secondary seeing the same
> spike of traffic?
>

No, just one (setting up my servers in a new location). The plan is to hide
that one behind some firewalling (with recursion for the locals) and use
that nameserver from RIPE (that doesn't even know how to do recursion) as
slaves on the 'Net facing servers.

Or maybe get rid of the nameserver. But I do like the ability to go in and
modify things by myself and have it happen right now.

And it's not a spike -- it's (almost) continuous. I looked at the blinking
lights on the router just now, and it's pretty quiet. The script kiddies
must be taking a nap...

-- 
Glenn English

Re: DNS hits

2017-02-11 Thread Henning Follmann 
On Sat, Feb 11, 2017 at 10:58:54AM -0700, Glenn English wrote:

Nothing about Debian.

Anyway...

> Is anyone else getting thousands of hits on DNS?

Hits how?.
Do you run a DNS server with openly available zones?

> 
> I am, largely from Amazon's AWS. I've emailed Amazon's abuse (from whois),
> Amazon's customer support, and added all the IP nets to my packet filter.
> 
> But AWS isn't the whole problem -- just the worst offender. And my little
> T1 has been, sometimes, DoS'ed by the hits. They are coming from IPs all
> over the world, from different sources every day, so I can't ask my ISP to
> block them in their big pipe.
> 
> Does anybody have any idea how to stop them?
> 

Not enough information.
Install dnstop and check what these requests are.
And then there are so many questions.

Does your DNS answer recursive queries?
How big are your zones? Do you have zones?
Do you allow zone transfers?

Do you have multiple DNS servers running? Is your secondary seeing the same
spike of traffic?


-H


-- 
Henning Follmann   | hfollm...@itcfollmann.com

Re: DNS hits

2017-02-11 Thread Steve Kemp 
On Sat Feb 11, 2017 at 10:58:54 -0700, Glenn English wrote:

>Is anyone else getting thousands of hits on DNS?

  Yes, but that's because I host DNS for popular domains.

>But AWS isn't the whole problem -- just the worst offender. And my little
>T1 has been, sometimes, DoS'ed by the hits. They are coming from IPs all
>over the world, from different sources every day, so I can't ask my ISP to
>block them in their big pipe.

  It sounds like you're running your own DNS server on your instance.
 If that is the case, you might consider moving it to Amazon's route53
 infrastructure.  That would mean that your DNS wouldn't rely upon your
 personal machine, and you're already using AWS ..

  Failing that it might be that remote IPs are trying to exploit your
 server.  Have you tested you're not running an open-resolver, by
 accident?  You should (probably) be running DNS for only your chosen
 domains.

  But sadly, without more information, the best we can do is guess
 that you're being spidered and hammered for fun.  Reporting the abuse
 will likely make no difference, even though it should.

>Does anybody have any idea how to stop them?

  Stop hosting DNS on the machine, by moving it elsewhere.  Also
 sanity-check your configuration.  If this works, you'll have
 trouble, for example:

dig -t a example.com @your.ip.add.ress

Steve
-- 
# Git-based DNS host
https://dns-api.com/

DNS hits

2017-02-11 Thread Glenn English 
Is anyone else getting thousands of hits on DNS?

I am, largely from Amazon's AWS. I've emailed Amazon's abuse (from whois),
Amazon's customer support, and added all the IP nets to my packet filter.

But AWS isn't the whole problem -- just the worst offender. And my little
T1 has been, sometimes, DoS'ed by the hits. They are coming from IPs all
over the world, from different sources every day, so I can't ask my ISP to
block them in their big pipe.

Does anybody have any idea how to stop them?

-- 
Glenn English