A server generates over 600GB of monthly traffic on UDP port (while http is under 1GB), so I ran tcpdump command and I see many (over 10/second or so) fast dns related commands/traffic that looks like this:
12:34:29.829750 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.829834 IP6 fe80::b9a5:34dd:a661:c8b2.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
12:34:29.829974 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.830523 IP localhost.localdomain.33178 > nscache2.leaseweb.net.domain: 41458+ PTR? 2.b.8.c.1.6.6.a.d.d.4.3.5.a.9.b.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
12:34:29.831602 IP nscache2.leaseweb.net.domain > localhost.localdomain.33178: 41458 NXDomain* 0/1/0 (125)
12:34:29.831624 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.833134 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postlady.ripe.net. 250, MX postgirl.ripe.net. 200, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS tinnie.arin.net., NS sec1.apnic.net., NS ns3.nic.fr., NS sec3.apnic.net., NS sns-pb.isc.org., NS pri.authdns.ripe.net. (3560)
12:34:29.833834 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postgirl.ripe.net. 200, MX postlady.ripe.net. 250, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS ns3.nic.fr., NS sec3.apnic.net., NS pri.authdns.ripe.net., NS tinnie.arin.net., NS sns-pb.isc.org., NS sec1.apnic.net. (3560)
12:34:29.834160 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postlady.ripe.net. 250, MX postgirl.ripe.net. 200, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS pri.authdns.ripe.net., NS ns3.nic.fr., NS sec1.apnic.net., NS tinnie.arin.net., NS sns-pb.isc.org., NS sec3.apnic.net. (3560)
12:34:29.836179 IP 145.97.20.167.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.836879 IP localhost.localdomain.domain > 145.97.20.167.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postgirl.ripe.net. 200, MX postlady.ripe.net. 250, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS tinnie.arin.net., NS pri.authdns.ripe.net., NS sec3.apnic.net., NS sec1.apnic.net., NS sns-pb.isc.org., NS ns3.nic.fr. (3560)
12:34:29.839662 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.839932 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.840673 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.840868 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postlady.ripe.net. 250, MX postgirl.ripe.net. 200, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS sec1.apnic.net., NS pri.authdns.ripe.net., NS sec3.apnic.net., NS sns-pb.isc.org., NS ns3.nic.fr., NS tinnie.arin.net. (3560)
12:34:29.840929 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.844602 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.845102 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postgirl.ripe.net. 200, MX postlady.ripe.net. 250, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS sns-pb.isc.org., NS sec3.apnic.net., NS sec1.apnic.net., NS ns3.nic.fr., NS pri.authdns.ripe.net., NS tinnie.arin.net. (3560)
12:34:29.845343 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postlady.ripe.net. 250, MX postgirl.ripe.net. 200, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS sec1.apnic.net., NS pri.authdns.ripe.net., NS ns3.nic.fr., NS sns-pb.isc.org., NS sec3.apnic.net., NS tinnie.arin.net. (3560)
12:34:29.845549 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postgirl.ripe.net. 200, MX postlady.ripe.net. 250, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS sec3.apnic.net., NS ns3.nic.fr., NS pri.authdns.ripe.net., NS sec1.apnic.net., NS tinnie.arin.net., NS sns-pb.isc.org. (3560)
12:34:29.845804 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postlady.ripe.net. 250, MX postgirl.ripe.net. 200, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS ns3.nic.fr., NS sec1.apnic.net., NS tinnie.arin.net., NS sec3.apnic.net., NS sns-pb.isc.org., NS pri.authdns.ripe.net. (3560)
- I don't recognize the domains like avo.net.domain/postgirl/postlady, just "leaseweb.net", leaseweb is my hosting provider.
- Server ip is 82.192.75.xxx (in case it shows above).
I am hosting over 200 domains but I suspect that some external users/servers are quering or attacking the DNS service causing all the UDP traffic.
I think I miss-configured the named.conf by setting wrong query or recursion values. The server purpose is to host around 200 domains on this server and it is not a dedicated DNS and not linked to other external servers or services.
What should I change in this named.conf ? Should I replace "any" with "localhosts" or "localnets" ? Thank you.
BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.1
options {
// listen-on port 53 { 127.0.0.1; };
listen-on port 53 { any; };
// listen-on-v6 port 53 { ::1; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
allow-query {
any;
};
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
// some includes here that contain zones like this:
zone "coilover.info" IN {
type master;
file "/var/named/named_include/coilover.info";
allow-update { none; };
};