5

Once Bind crashed and I did: tail -f /var/log/messages I see a massive number of logs every second. Is this a DNS attack? or is there something wrong?

Sometimes I see a domain in logs like this: dOmAin.com (upper and lower). As you see there is only one single domain in the logs with different IPs

Oct 10 02:21:26 mail named[20831]: client 74.125.189.18#38921: query (cache) 'ns1.domain2.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 192.221.144.171#38833: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 74.125.189.17#42428: query (cache) 'ns2.domain2.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 192.221.146.27#37899: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 193.203.82.66#39263: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 8.0.16.170#59723: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 80.169.197.66#32903: query (cache) 'dOmAin.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 134.58.60.1#47558: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 192.221.146.34#47387: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 8.0.16.8#59392: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 74.125.189.19#64395: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 217.72.163.3#42190: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 83.146.21.252#22020: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 192.221.146.116#57342: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 193.203.82.66#52020: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 8.0.16.72#64317: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 80.169.197.66#31989: query (cache) 'dOmAin.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 74.125.189.18#47436: query (cache) 'ns2.domain2.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 74.125.189.16#44005: query (cache) 'ns1.domain2.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 85.132.31.10#50379: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 94.241.128.3#60106: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 85.132.31.10#59118: query (cache) 'domain.com/A/IN' denied
Oct 10 02:21:26 mail named[20831]: client 212.95.135.78#27811: query (cache) 'domain.com/A/IN' denied

/etc/resolv.conf

; generated by /sbin/dhclient-script
nameserver 4.2.2.4
nameserver 8.8.4.4

Bind config:

// generated by named-bootconf.pl

options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;

        allow-transfer { none; };
        allow-recursion { localnets; };
        //listen-on-v6 { any; };
        notify no;
};

//
// a caching only nameserver config
//
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};
Zim3r
  • 1,384
  • 5
  • 23
  • 45

2 Answers2

1

Check this:

https://www.isc.org/software/bind/advisories/cve-2012-5166

http://www.h-online.com/open/news/item/BIND-DNS-server-updates-close-critical-hole-1727232.html

Zim3r
  • 1,384
  • 5
  • 23
  • 45
  • 3
    The link is broken. A short summary would be more appropriate instead of dead links :) – Mladen B. Jan 26 '20 at 23:03
  • 1
    Always useful to post a quoted snippet from the link and then the source as a link. Even if the page disappears, you'll have managed to capture the key meaning from it so later visitors to your answer have a shot at understanding what you were trying to say! – F1Linux Jun 09 '20 at 14:48
-1

try to add allow-query { any; }; to options.

Nikolaidis Fotis
  • 1,994
  • 11
  • 13
  • 1
    Thanks, but isn't this suspicions? many queries in one second, a few number of IPs repeating and one domain? – Zim3r Oct 10 '12 at 06:59
  • logs were there before bind's crash or after ? If they were before .... it could be a DOS. if they were after ... maybe it's cache renew. Also, did you have change anything before the crash before renewing(thawing) bind ? I cannot explain why suddenly it decided to deny the queries – Nikolaidis Fotis Oct 10 '12 at 07:07
  • Thanks, Bind crashed once and I restarted it. sites loading fine now and I didn't change anything, it's just a number of IPs with the same domain that are querying. – Zim3r Oct 10 '12 at 07:14
  • 6
    If the domain is not yours and clients are external, your server may be participating in an amplification attack. External clients (except for DNS slaves) should only have access to your domain data. Split DNS is one solution that can be applied. Substitute `localnets` for `any` in the above option. Apply the above as is to each of your zones. – BillThor Oct 10 '12 at 12:25
  • +1 Thanks @BillThor, But is replacing localnets with any safe? won't this cause any security issues? – Zim3r Oct 13 '12 at 07:13
  • 2
    Use `localnets` instead of `any`. This will limit access to you `localnets` instead of allowing `any` source to query your cache. Neither should be a security issue, but `any` may allow amplification attacks to succeed. – BillThor Oct 13 '12 at 18:31