error (network unreachable) resolving

Question

Going through my logs, I just realized some part of my server might be compromised, although not an expert of Bind 9, I'm not sure what to correct in order to prevent this :

Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'www.gamasutra.com/A/IN': 2001:4800:7814:0:5008:8553:ff04:b151#53
Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'www.kitchenworksinc.com/A/IN': 2607:f208:302::2d#53
Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'gyogynovenyek-gyogyteak.com/A/IN': 2607:f0d0:1101:16f::6#53
Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'www.kitchenworksinc.com/AAAA/IN': 2607:f208:302::2d#53
Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'www.kitchenworksinc.com/A/IN': 2607:f208:206::2d#53
Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'www.kitchenworksinc.com/AAAA/IN': 2607:f208:206::2d#53
Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'gyogynovenyek-gyogyteak.com/AAAA/IN': 2607:f0d0:1101:16f::6#53
Oct 24 14:16:51 ip151 named[54864]: validating @0x7f4e1405ce60: www.gamasutra.com A: no valid signature found
Oct 24 14:16:51 ip151 named[54864]:  validating @0x7f4e1c5befc0: gamasutra.com SOA: no valid signature found
Oct 24 14:16:51 ip151 named[54864]:  validating @0x7f4e2008e200: www.gamasutra.com NSEC: no valid signature found
Oct 24 14:16:54 ip151 named[54864]: error (network unreachable) resolving 'www.utrinski.mk/A/IN': 2001:678:1::2#53
Oct 24 14:16:54 ip151 named[54864]: error (network unreachable) resolving 'www.utrinski.mk/AAAA/IN': 2001:678:1::2#53
Oct 24 14:16:54 ip151 named[54864]: error (network unreachable) resolving 'www.utrinski.mk/A/IN': 2001:628:453:bb::4#53
Oct 24 14:16:54 ip151 named[54864]: error (network unreachable) resolving 'www.utrinski.mk/AAAA/IN': 2001:628:453:bb::4#53
Oct 24 14:16:54 ip151 named[54864]: error (connection refused) resolving 'www.utrinski.mk/A/IN': 194.149.137.168#53
Oct 24 14:16:54 ip151 named[54864]: error (connection refused) resolving 'www.utrinski.mk/AAAA/IN': 194.149.137.168#53
Oct 24 14:16:59 ip151 named[54864]: validating @0x7f4e241324c0: www.biblioteksforeningen.org AAAA: no valid signature found
Oct 24 14:16:59 ip151 named[54864]: validating @0x7f4e0ccf4060: www.biblioteksforeningen.org A: no valid signature found
Oct 24 14:16:59 ip151 named[54864]: validating @0x7f4e0ccf4060: biblioteksforeningen.org A: no valid signature found
Oct 24 14:17:04 ip151 named[54864]: error (network unreachable) resolving 'dsac.cn/DS/IN': 2001:dc7::1#53

It seems like my server is spammed with name resolutions from unkown people. If I understood correctly, what I need to do is set up my server to be private in some sort.

I'm deeply sorry if I'm not using the correct terminology, I'm just trying to solve this thing quickly before it becomes a real problem for the sites I host.

Thank you

Update 1: the result of -route § is :

Destination                    Next Hop                   Flag Met Ref Use If
[::]/96                        [::]                       !n   1024 0     0 lo
0.0.0.0/96                     [::]                       !n   1024 0     0 lo
2002:x00::/24                  [::]                       !n   1024 0     0 lo
2002:xf00::/24                 [::]                       !n   1024 0     0 lo
2002:x9fe::/32                 [::]                       !n   1024 0     0 lo
2002:xc10::/28                 [::]                       !n   1024 0     0 lo
2002:x0a8::/32                 [::]                       !n   1024 0     0 lo
2002:x000::/19                 [::]                       !n   1024 0     0 lo
3ffe:xfff::/32                 [::]                       !n   1024 0     0 lo
[::]/0                         [::]                       !n   -1  113233992 lo
localhost/128                  [::]                       Un   0   116069755 lo
ipxxx.ip-17x-3x-4x.eu/128      [::]                       Un   0   1 14444 lo
ff00::/8                       [::]                       U    256 0     0 ens18
[::]/0                         [::]                       !n   -1  113233992 lo

UPDATE 2

I've simply modified the named.conf file with the following change (everything is clearly explained in the file, I should ahve looked there first)

options {
    listen-on port 53 {
        any;
        };
//  listen-on-v6 port 53 {
//      any;
//      };

I commented the last 3 lines, since I don't handle any IP V6 on my websites.

Also modified that line from yes to no :

`/* 
 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
   recursion. 
 - If your recursive DNS server has a public IP address, you MUST enable access 
   control to limit queries to your legitimate users. Failing to do so will
   cause your server to become part of large scale DNS amplification 
   attacks. Implementing BCP38 within your network would greatly
   reduce such attack surface 
*/`
    recursion no;

It doesn't seem to impact any of my sites. As a result, my logs now look like this :

Oct 24 15:10:57 ip151 named[40819]: client 127.0.0.1#58400 (www.dunyadinleri.com): query (cache) 'www.dunyadinleri.com/AAAA/IN' denied
Oct 24 15:10:57 ip151 named[40819]: client 127.0.0.1#58400 (www.dunyadinleri.com): query (cache) 'www.dunyadinleri.com/A/IN' denied
Oct 24 15:10:57 ip151 named[40819]: client 127.0.0.1#17750 (ujquery.org): query (cache) 'ujquery.org/A/IN' denied
Oct 24 15:10:57 ip151 named[40819]: client 127.0.0.1#17750 (ujquery.org): query (cache) 'ujquery.org/AAAA/IN' denied
Oct 24 15:10:57 ip151 named[40819]: client 127.0.0.1#58400 (adsl.aruba.it): query (cache) 'adsl.aruba.it/A/IN' denied
Oct 24 15:10:57 ip151 named[40819]: client 127.0.0.1#58400 (adsl.aruba.it): query (cache) 'adsl.aruba.it/AAAA/IN' denied
Oct 24 15:10:57 ip151 named[40819]: client 127.0.0.1#58400 (www.microscopy-uk.org.uk): query (cache) 'www.microscopy-uk.org.uk/A/IN' denied

score 3 · Accepted Answer · edited Jun 11 '20 at 10:02

Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'www.gamasutra.com/A/IN': 2001:4800:7814:0:5008:8553:ff04:b151#53

Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'www.kitchenworksinc.com/A/IN': 2607:f208:302::2d#53

Hmm, I see that it is happening for requests only coming from IPv6 source addresses. So I think your server is listening for requests on IPv6 address, But not able to reach or send them replies(network unreachable). And I am pretty sure that it may be happening due to absence of default gateway or a default route.

So check for following, run:

route -6

You should see something like

::/0                           2001:xxxx:xxxx:196::1      UG   1024 8   874 eth0

If there is no ::/0 route then this is the problem(absence of default route), Hence not able to send replies to IPv6 queries.

Update:

Destination                    Next Hop                   Flag Met Ref Use If
[::]/96                        [::]                       !n   1024 0     0 lo
0.0.0.0/96                     [::]                       !n   1024 0     0 lo
2002:x00::/24                  [::]                       !n   1024 0     0 lo
2002:xf00::/24                 [::]                       !n   1024 0     0 lo
2002:x9fe::/32                 [::]                       !n   1024 0     0 lo
2002:xc10::/28                 [::]                       !n   1024 0     0 lo
2002:x0a8::/32                 [::]                       !n   1024 0     0 lo
2002:x000::/19                 [::]                       !n   1024 0     0 lo
3ffe:xfff::/32                 [::]                       !n   1024 0     0 lo
[::]/0                         [::]                       !n   -1  113233992 lo
localhost/128                  [::]                       Un   0   116069755 lo
ipxxx.ip-17x-3x-4x.eu/128      [::]                       Un   0   1 14444 lo
ff00::/8                       [::]                       U    256 0     0 ens18
[::]/0                         [::]                       !n   -1  113233992 lo

Well as i said there is no default route hence they are able to reach you but you are not. Again if you don't want these queries to come you have three options

block 53 port in ip6tables
disable ipv6 address on interface
remove ipv6 address from interface

Choose whichever option suites(as you said you are running a web server not DNS), Otherwise you are leaving your system very vulnerable!

Well I'm quite glad that I'm not sending any answer to these request since these are not mine. — None, Oct 24 '16 at 12:37
but I would suggest you to either remove the IPv6 address so that it becomes less vulnerable to attacks(especially after Dyn ;) ) Or you can simply stop listening on IPv6 address using *OPTIONS* in BIND. — Anirudh Malhotra, Oct 24 '16 at 12:45
I've updated my OP and I think I've deactivated it with the line i commented. — None, Oct 24 '16 at 13:31
If my answer helped you in getting what you wanted, You may mark is answered or helpful! Thanks — Anirudh Malhotra, Oct 24 '16 at 13:46

score 0 · Answer 2 · edited Apr 13 '17 at 12:14

0

Blocking incoming UDP traffic on port 53 (DNS) should do the trick for you.
In order not to reiterate what has been said already, look at Why would a university block incoming UDP traffic with destination port 53?

edited Apr 13 '17 at 12:14

Community

1

answered Oct 24 '16 at 12:33

fragamemnon

220
1
5

Wouldn't this block my server from handling my emails ? – None Oct 24 '16 at 13:32

score 0 · Answer 3 · answered Oct 24 '16 at 12:34

0

From your log i dont see that much traffic. Anyway, in case you want to offer DNS service only to some clients, jsut use named ACL's.

For more info on how to do this check this answer:

bind would not work unless allow-query is "any"

answered Oct 24 '16 at 12:34

Fredi

2,227
9
13

I don't want to use any DNS service. I just host websites. 20 requests in 10 seconds seems to be a lot for me. – None Oct 24 '16 at 12:41
What i meant was, if your DNS is only for your local machines, then allow only those to query it, using ACL's and / or as by @fragamemnon answer allow only your machines to access named – Fredi Oct 24 '16 at 12:46
Oh, maybe I was not cleared in my post. It is a webserver used to host websites only. – None Oct 24 '16 at 12:47
I got that, but what are you using your DNS server for? – Fredi Oct 24 '16 at 13:50
It came by default in my CentOS webhosting installation. I thought it was mandatory to handle email resolution? But I could be wrong. – None Oct 24 '16 at 13:56
Nope, you can use an upstream DNS, or whatever, no need to have named even installed only for that :-) – Fredi Oct 24 '16 at 13:58
Oh well, I just deactivated BIND DNS and I feel relieved now :) All my DNS zone are configured with the domain registrar so I guess I'm good with it. – None Oct 24 '16 at 14:01
Indeed, first thing i do is disable everything that's not needed. And BTW, managing a public DNS is tricky, leave that to your provider :-) – Fredi Oct 24 '16 at 14:11

error (network unreachable) resolving

3 Answers3