loads of Query denied... is it an attack or a misconfiguration ?
Matthew Huff
mhuff at ox.com
Wed Feb 11 16:24:40 UTC 2009
Thanks to David Forest, I realize now that the query IS being refused,
however nothing in the bind log shows the refusal. Is there anyway to see
that in the log?
----
Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139
> -----Original Message-----
> From: David Forrest [mailto:drf at maplepark.com]
> Sent: Wednesday, February 11, 2009 10:11 AM
> To: Matthew Huff
> Cc: 'bind-users at lists.isc.org'
> Subject: RE: loads of Query denied... is it an attack or a
> misconfiguration ?
>
> On Wed, 11 Feb 2009, Matthew Huff wrote:
>
> > I've been aware of this problem since it first came up on this and
> nanog's
> > list, but I'm having some configuration issues trying to make the
> upward
> > referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing
> the NS
> > queries being answered in the log:
> >
> > 11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view
> > external-in: query: . IN NS +
> > 11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view
> > external-in: query: ox.com IN NS -EDC
> > 11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view
> > external-in: query: . IN NS +
> > 11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view
> > external-in: query: ox.com IN NS -EDC
> > 11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view
> > external-in: query: . IN NS +
> > 11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view
> > external-in: query: . IN NS +
> > 11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view
> > external-in: query: . IN NS +
> >
> > My config follows, any suggestion?
> >
> > options {
> > directory "/var/named";
> > pid-file "/var/named/named.pid";
> > statistics-file "/var/named/named.stats";
> > memstatistics-file "/var/named/named.memstats";
> > dump-file "/var/adm/named.dump";
> > zone-statistics yes;
> >
> > notify no;
> >
> > transfer-format many-answers;
> > max-transfer-time-in 60;
> > interface-interval 0;
> >
> > recursion no;
> >
> > allow-transfer { xfer; };
> > allow-query { none; };
> > allow-recursion { none; };
> >
> > additional-from-auth no;
> > additional-from-cache no;
> > };
> >
> > view "internal-in" in {
> > match-clients { trusted; };
> > recursion yes;
> > additional-from-auth yes;
> > additional-from-cache yes;
> > allow-query { trusted; };
> > allow-recursion { trusted; };
> > allow-query-cache { trusted; };
> >
> > zone "." in {
> > type hint;
> > file "db.cache";
> > };
> >
> > zone "0.0.127.in-addr.arpa" in {
> > type master;
> > file "master/db.127.0.0";
> > allow-query {
> > any;
> > };
> > allow-transfer { none; };
> > };
> >
> > zone "foo.com" in {
> > type master;
> > file "master/db.foo";
> > };
> >
> > ...
> > ...
> > ...
> >
> > };
> >
> > view "external-in" in {
> > match-clients { any; };
> > recursion no;
> >
> > allow-transfer { xfer; };
> > allow-query { none; };
> > allow-recursion { none; };
> >
> > additional-from-auth no;
> > additional-from-cache no;
> >
> > zone "." in {
> > type hint;
> > file "db.cache";
> > };
> >
> > zone "foo.com" in {
> > type master;
> > file "master/db.foo";
> > allow-query { any; };
> > };
> >
> > ...
> > ...
> > ...
> > };
> >
> Matthew, the querylog shows what was queried. To see what is answered
> try
> digging your external interface.
>
> Here is my external view:
>
> view "external" { // Primary nameserver for maplepark.com.
> match-clients { any; };
> recursion no;
> additional-from-cache no;
> // https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-
> harmful
>
> zone "maplepark.com"{
> type master;
> notify yes;
> allow-transfer { slave-name-servers; };
> file "/var/named/drf/external/maplepark.com.external.";
> };
>
> zone "." { type hint; file "named.ca"; }; // Update this hint by:
> /usr/local/sbin/update-root-cache
> };
>
> And the result of the external query:
>
> [drf at maplepark ~]$ dig +bufsize=4096 @64.216.205.121 . NS
>
> ; <<>> DiG 9.6.0-P1 <<>> +bufsize=4096 @64.216.205.121 . NS
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24703
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;. IN NS
>
> ;; Query time: 0 msec
> ;; SERVER: 64.216.205.121#53(64.216.205.121)
> ;; WHEN: Wed Feb 11 08:53:04 2009
> ;; MSG SIZE rcvd: 28
>
> [drf at maplepark ~]$
>
> Note that the status is "REFUSED" and MSG SIZE is 28 bytes
>
> And the querylog has this:
> 11-Feb-2009 08:53:04.195 queries: info: client 64.216.205.121#58714:
> view external: query: . IN NS +E
>
> Try digging. AFAICT your conf should return REFUSED
>
> Dave
>
> --
> David Forrest e-mail drf at maplepark.com
> Maple Park Development Corporation http://www.maplepark.com
> St. Louis, Missouri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Matthew Huff.vcf
Type: application/octet-stream
Size: 1595 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090211/5ccdcc29/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4229 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090211/5ccdcc29/attachment.bin>
More information about the bind-users
mailing list