dns server is attacked
Mark Andrews
marka at isc.org
Thu Feb 4 00:52:50 UTC 2010
In message <b4a3339c1002031612n5fd6395dy258959f605adbb4e at mail.gmail.com>, Makara writes:
> Hi,
>
> I'm dns administrator, please give me an excuse if it's not the right place
> to ask the question. My dns server is attacked, below are the log
You are not being attacked. The zone 26.178.115.in-addr.arpa is
delegated to you but you are not configured to serve it.
26.178.115.in-addr.arpa. 86400 IN NS ns01.digi.com.kh.
26.178.115.in-addr.arpa. 86400 IN NS ns02.digi.com.kh.
You are seeing other nameservers performing reverse lookups on the
address in 26.178.115.in-addr.arpa. This will usually be because
you made a connection to a service which uses these servers for
reverse DNS lookups for access control or just logging where the
request came from.
Either remove the delegation or serve the 26.178.115.in-addr.arpa zone.
Mark
> Feb 4 06:26:29 ns01 named[7791]: client 204.194.238.15#42502:
query (cache) > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb
4 06:26:29 ns01 named[7791]: client 196.14.64.145#54363: query
(cache) > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4
06:26:29 ns01 named[7791]: client 66.33.216.129#58386: query (cache)
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29
ns01 named[7791]: client 62.141.32.3#10049: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29 ns01
named[7791]: client 203.220.10.226#27558: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29 ns01
named[7791]: client 117.102.98.253#4696: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29 ns01
named[7791]: client 208.69.34.8#52506: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29 ns01
named[7791]: client 64.27.31.126#23550: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29 ns01
named[7791]: client 195.25.5.65#49345: query (cache) >
'110.25.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29 ns01
named[7791]: client 208.65.201.98#20322: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29 ns01
named[7791]: client 82.108.95.210#2104: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29 ns01
named[7791]: client 65.39.178.17#53701: query (cache) >
'200.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29 ns01
named[7791]: FORMERR resolving ' > ns1.pendingrenewaldeletion.com/AAAA/IN':
205.178.190.51#53 > Feb 4 06:26:29 ns01 named[7791]: unexpected
RCODE (REFUSED) resolving ' > cheappaintballgunstore.com/A/IN':
74.53.26.66#53 > Feb 4 06:26:29 ns01 named[7791]: client
85.115.52.190#24528: query (cache) > '118.26.178.115.in-addr.arpa/PTR/IN'
denied > Feb 4 06:26:29 ns01 named[7791]: client 83.103.75.172#19067:
query (cache) > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb
4 06:26:29 ns01 named[7791]: client 66.119.189.138#63190: query
(cache) > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4
06:26:29 ns01 named[7791]: client 194.206.126.15#49858: query (cache)
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29
ns01 named[7791]: client 72.232.214.226#10860: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29 ns01
named[7791]: FORMERR resolving ' > ns2.pendingrenewaldeletion.com/AAAA/IN':
205.178.190.51#53 > Feb 4 06:26:29 ns01 named[7791]: client
83.243.8.6#26089: query (cache) > '118.26.178.115.in-addr.arpa/PTR/IN'
denied > Feb 4 06:26:29 ns01 named[7791]: client 97.64.179.210#19383:
query (cache) > '200.26.178.115.in-addr.arpa/PTR/IN' denied > Feb
4 06:26:29 ns01 named[7791]: client 81.4.88.10#24179: query (cache)
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29
ns01 named[7791]: client 66.33.216.208#8796: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29 ns01
named[7791]: client 66.119.189.138#34887: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb 4 06:26:29 ns01
named[7791]: client 208.67.219.11#39638: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > > > I'm using BIND
9.3.3rc2, any idea or advise how to solve the problem? it's >
response so slow and some time is not response > -- > The person
who loves others will also be loved. -- Mark Andrews, ISC 1 Seymour
St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742
INTERNET: marka at isc.org
More information about the bind-users
mailing list