loads of Query denied... is it an attack or a misconfiguration ?
David Forrest
drf at maplepark.com
Wed Feb 11 15:10:46 UTC 2009
On Wed, 11 Feb 2009, Matthew Huff wrote:
> I've been aware of this problem since it first came up on this and nanog's
> list, but I'm having some configuration issues trying to make the upward
> referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing the NS
> queries being answered in the log:
>
> 11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view
> external-in: query: . IN NS +
> 11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view
> external-in: query: ox.com IN NS -EDC
> 11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view
> external-in: query: . IN NS +
> 11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view
> external-in: query: ox.com IN NS -EDC
> 11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view
> external-in: query: . IN NS +
> 11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view
> external-in: query: . IN NS +
> 11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view
> external-in: query: . IN NS +
>
> My config follows, any suggestion?
>
> options {
> directory "/var/named";
> pid-file "/var/named/named.pid";
> statistics-file "/var/named/named.stats";
> memstatistics-file "/var/named/named.memstats";
> dump-file "/var/adm/named.dump";
> zone-statistics yes;
>
> notify no;
>
> transfer-format many-answers;
> max-transfer-time-in 60;
> interface-interval 0;
>
> recursion no;
>
> allow-transfer { xfer; };
> allow-query { none; };
> allow-recursion { none; };
>
> additional-from-auth no;
> additional-from-cache no;
> };
>
> view "internal-in" in {
> match-clients { trusted; };
> recursion yes;
> additional-from-auth yes;
> additional-from-cache yes;
> allow-query { trusted; };
> allow-recursion { trusted; };
> allow-query-cache { trusted; };
>
> zone "." in {
> type hint;
> file "db.cache";
> };
>
> zone "0.0.127.in-addr.arpa" in {
> type master;
> file "master/db.127.0.0";
> allow-query {
> any;
> };
> allow-transfer { none; };
> };
>
> zone "foo.com" in {
> type master;
> file "master/db.foo";
> };
>
> ...
> ...
> ...
>
> };
>
> view "external-in" in {
> match-clients { any; };
> recursion no;
>
> allow-transfer { xfer; };
> allow-query { none; };
> allow-recursion { none; };
>
> additional-from-auth no;
> additional-from-cache no;
>
> zone "." in {
> type hint;
> file "db.cache";
> };
>
> zone "foo.com" in {
> type master;
> file "master/db.foo";
> allow-query { any; };
> };
>
> ...
> ...
> ...
> };
>
Matthew, the querylog shows what was queried. To see what is answered try
digging your external interface.
Here is my external view:
view "external" { // Primary nameserver for maplepark.com.
match-clients { any; };
recursion no;
additional-from-cache no;
// https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful
zone "maplepark.com"{
type master;
notify yes;
allow-transfer { slave-name-servers; };
file "/var/named/drf/external/maplepark.com.external.";
};
zone "." { type hint; file "named.ca"; }; // Update this hint by: /usr/local/sbin/update-root-cache
};
And the result of the external query:
[drf at maplepark ~]$ dig +bufsize=4096 @64.216.205.121 . NS
; <<>> DiG 9.6.0-P1 <<>> +bufsize=4096 @64.216.205.121 . NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24703
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; Query time: 0 msec
;; SERVER: 64.216.205.121#53(64.216.205.121)
;; WHEN: Wed Feb 11 08:53:04 2009
;; MSG SIZE rcvd: 28
[drf at maplepark ~]$
Note that the status is "REFUSED" and MSG SIZE is 28 bytes
And the querylog has this:
11-Feb-2009 08:53:04.195 queries: info: client 64.216.205.121#58714: view external: query: . IN NS +E
Try digging. AFAICT your conf should return REFUSED
Dave
--
David Forrest e-mail drf at maplepark.com
Maple Park Development Corporation http://www.maplepark.com
St. Louis, Missouri
More information about the bind-users
mailing list