Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Thread Tools Display Modes
Prev Previous Post   Next Post Next
Old 23rd April 2013, 04:49
supanatral supanatral is offline
Join Date: Mar 2010
Posts: 38
Thanks: 1
Thanked 4 Times in 4 Posts
Default DoS Attack Against Bind

First and foremost, my ISPConfig server was setup exactly as shown in this tutorial: Perfect Server

For the past 36 hours, my ISPConfig server has been up and down like a basketball for no apparent reason. The server never restarted, no services failed, no logs that stood out to me, etc, etc.

After looking at our firewall, I found that there was a continuous 5mbps upload for DNS traffic alone!!

Many hours later, I found out that my DNS server had the "recursion" option enabled which allowed anyone in the world to use my DNS server to lookup any website it pleased rather then only responding to the DNS zones that I personally host.

After I disabled recursion, I found that the "/var/log/messages" log file being inundated with lines that show the following:
22-Apr-2013 21:32:05.973 client query (cache) 'ripe.net/ANY/IN' denied
22-Apr-2013 21:32:05.974 client query (cache) 'ripe.net/ANY/IN' denied
22-Apr-2013 21:32:05.974 client query (cache) 'ripe.net/ANY/IN' denied
22-Apr-2013 21:32:05.974 client query (cache) 'ripe.net/ANY/IN' denied
22-Apr-2013 21:32:12.731 client query (cache) 'isc.org/ANY/IN' denied
22-Apr-2013 21:32:13.595 client query (cache) 'isc.org/ANY/IN' denied
22-Apr-2013 21:32:14.565 client query (cache) 'isc.org/ANY/IN' denied
I realized very quickly that I was receiving anywhere between 100-750 DNS queries every second!! After much more research, I finally configured the application fail2ban to watch my DNS logs and ban any IP address after 3 failed DNS queries for a period of 5 minutes.

How is how I did it:

Disabling Recursion

First thing I found was that by default, recursion was enable on the bind server. I turned this off by editing the file /etc/named.conf:
recursion yes;
recursion no;

Configuring Fail2Ban
Firstly, make the bind log file
mkdir /var/log/named
chmod a+w /var/log/named
Next, edit /etc/named.conf and edit the logging options to show the following:
logging {
channel security_file {
file "/var/log/named/security.log" versions 3 size 30m;
severity dynamic;
print-time yes;
category security {

Restart Bind using:
/etc/init.d/named restart
OK, now to set up fail2ban. Edit the /etc/fail2ban/jail.conf file and change from:

enabled = false

enabled = true
and from:

enabled = false

enabled = true
Then restart fail2ban in the usual manner,
/etc/init.d/fail2ban restart


Last edited by supanatral; 23rd April 2013 at 05:07.
Reply With Quote
The Following User Says Thank You to supanatral For This Useful Post:
tahunasky (27th April 2013)
Sponsored Links


bind, dos attack, ispconfig, named

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ubuntu Hardy chrooted bind9 fails to start Djamu Server Operation 35 21st April 2010 09:28
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 13:20
Problem on restart bind9 satimis Server Operation 6 30th October 2007 03:01
Bind-Chroot-Howto (Debian) spaz HOWTO-Related Questions 5 9th March 2006 15:50
Isp Says Dos Attack Being Conducted ZebraCobra Server Operation 3 20th December 2005 17:18

All times are GMT +2. The time now is 16:25.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.