loads of Query denied... is it an attack or a misconfiguration ?

Matthew Huff mhuff at ox.com
Wed Feb 11 16:24:40 UTC 2009


Thanks to David Forest, I realize now that the query IS being refused,
however nothing in the bind log shows the refusal. Is there anyway to see
that in the log?

----
Matthew Huff       | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139



> -----Original Message-----
> From: David Forrest [mailto:drf at maplepark.com]
> Sent: Wednesday, February 11, 2009 10:11 AM
> To: Matthew Huff
> Cc: 'bind-users at lists.isc.org'
> Subject: RE: loads of Query denied... is it an attack or a
> misconfiguration ?
> 
> On Wed, 11 Feb 2009, Matthew Huff wrote:
> 
> > I've been aware of this problem since it first came up on this and
> nanog's
> > list, but I'm having some configuration issues trying to make the
> upward
> > referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing
> the NS
> > queries being answered in the log:
> >
> > 11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view
> > external-in: query: . IN NS +
> > 11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view
> > external-in: query: ox.com IN NS -EDC
> > 11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view
> > external-in: query: . IN NS +
> > 11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view
> > external-in: query: ox.com IN NS -EDC
> > 11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view
> > external-in: query: . IN NS +
> > 11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view
> > external-in: query: . IN NS +
> > 11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view
> > external-in: query: . IN NS +
> >
> > My config follows, any suggestion?
> >
> > options {
> >    directory "/var/named";
> >    pid-file "/var/named/named.pid";
> >    statistics-file "/var/named/named.stats";
> >    memstatistics-file "/var/named/named.memstats";
> >    dump-file "/var/adm/named.dump";
> >    zone-statistics yes;
> >
> >    notify no;
> >
> >    transfer-format many-answers;
> >    max-transfer-time-in 60;
> >    interface-interval 0;
> >
> >    recursion no;
> >
> >    allow-transfer { xfer; };
> >    allow-query { none; };
> >    allow-recursion { none; };
> >
> >    additional-from-auth no;
> >    additional-from-cache no;
> > };
> >
> > view "internal-in" in {
> >  match-clients { trusted; };
> >  recursion yes;
> >  additional-from-auth yes;
> >  additional-from-cache yes;
> >  allow-query { trusted; };
> >  allow-recursion { trusted; };
> >  allow-query-cache { trusted; };
> >
> >  zone "." in {
> >    type hint;
> >    file "db.cache";
> >  };
> >
> >  zone "0.0.127.in-addr.arpa" in {
> >    type master;
> >    file "master/db.127.0.0";
> >    allow-query {
> >      any;
> >    };
> >    allow-transfer { none; };
> >  };
> >
> >  zone "foo.com" in {
> >    type master;
> >    file "master/db.foo";
> >   };
> >
> > ...
> > ...
> > ...
> >
> > };
> >
> > view "external-in" in {
> >  match-clients { any; };
> >  recursion no;
> >
> >  allow-transfer { xfer; };
> >  allow-query { none; };
> >  allow-recursion { none; };
> >
> >  additional-from-auth no;
> >  additional-from-cache no;
> >
> >  zone "." in {
> >    type hint;
> >    file "db.cache";
> >  };
> >
> >  zone "foo.com" in {
> >    type master;
> >    file "master/db.foo";
> >    allow-query { any; };
> >  };
> >
> > ...
> > ...
> > ...
> > };
> >
> Matthew, the querylog shows what was queried.  To see what is answered
> try
> digging your external interface.
> 
> Here is my external view:
> 
> view "external" {     // Primary nameserver for maplepark.com.
>          match-clients { any; };
>          recursion no;
>          additional-from-cache no;
> // https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-
> harmful
> 
> zone "maplepark.com"{
>          type master;
>          notify yes;
>          allow-transfer { slave-name-servers; };
>          file "/var/named/drf/external/maplepark.com.external.";
>          };
> 
> zone "." { type hint; file "named.ca"; };  // Update this hint by:
> /usr/local/sbin/update-root-cache
> };
> 
> And the result of the external query:
> 
> [drf at maplepark ~]$ dig +bufsize=4096  @64.216.205.121 . NS
> 
> ; <<>> DiG 9.6.0-P1 <<>> +bufsize=4096 @64.216.205.121 . NS
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24703
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;.				IN	NS
> 
> ;; Query time: 0 msec
> ;; SERVER: 64.216.205.121#53(64.216.205.121)
> ;; WHEN: Wed Feb 11 08:53:04 2009
> ;; MSG SIZE  rcvd: 28
> 
> [drf at maplepark ~]$
> 
> Note that the status is "REFUSED" and MSG SIZE is 28 bytes
> 
> And the querylog has this:
> 11-Feb-2009 08:53:04.195 queries: info: client 64.216.205.121#58714:
> view external: query: . IN NS +E
> 
> Try digging. AFAICT your conf should return REFUSED
> 
> Dave
> 
> --
> David Forrest                     e-mail   drf at maplepark.com
> Maple Park Development Corporation  http://www.maplepark.com
> St. Louis, Missouri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Matthew Huff.vcf
Type: application/octet-stream
Size: 1595 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090211/5ccdcc29/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4229 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090211/5ccdcc29/attachment.bin>


More information about the bind-users mailing list