#1  
Old 29th May 2013, 15:32
Unfaiir Unfaiir is offline
HowtoForge Supporter
 
Join Date: Jul 2012
Location: Orange County, CA, USA
Posts: 43
Thanks: 14
Thanked 4 Times in 2 Posts
Unhappy Bind isc.org IN ANY help?

I have been scouring the web for a solution to this issue with bind to no avail.

At various times throughout the day I will be bombarded with requests like:

Code:
May 29 06:19:17 server1 named[32513]: client 154.47.160.25#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.10#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 149.5.169.25#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.43#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.25#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.43#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.10#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.25#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 178.33.2.161#40494: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.43#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.25#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.10#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.43#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.25#25345: query: isc.org IN ANY +ED (x.x.x.x)
I just can't seem to find a way to stop them. My question is, does ISPConfig 3 even need Bind running? I have free nameserver service where I register my domains so I'll just use that if there is no simple solution here, its too much frustration for me.

Below is my /etc/named.conf file which I've tried to modify to block this before, which seemed to work at the time.. but now its happening again. I guess what makes it so difficult is that its a UDP attack and not a TCP, so the source IP is always just spoofed. Help?

Code:
include "/etc/rndc.key";

controls {
        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

acl "trusted" {
 127.0.0.1;
};

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
        forwarders { 127.0.0.1; };
};

logging {
 channel security_file {
  file "/var/log/named/security.log" versions 3 size 30m;
  severity dynamic;
  print-time yes;
 };
 category security {
  security_file;
 };
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/named.conf.local";
__________________
We are not equal
Reply With Quote
Sponsored Links
  #2  
Old 29th May 2013, 16:07
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,046
Thanks: 826
Thanked 5,388 Times in 4,233 Posts
Default

If you dont want to host your own dns zones, then you can stop bind. ISPConfig does not require bind, it just supports bind.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
Eleven Cool (30th May 2013)
  #3  
Old 29th May 2013, 16:15
SuperLOL SuperLOL is offline
Junior Member
 
Join Date: May 2013
Posts: 18
Thanks: 0
Thanked 3 Times in 3 Posts
Default

A long time a i had this domain name.
Reply With Quote
  #4  
Old 30th May 2013, 22:14
Unfaiir Unfaiir is offline
HowtoForge Supporter
 
Join Date: Jul 2012
Location: Orange County, CA, USA
Posts: 43
Thanks: 14
Thanked 4 Times in 2 Posts
Question

Quote:
Originally Posted by till View Post
If you dont want to host your own dns zones, then you can stop bind. ISPConfig does not require bind, it just supports bind.
Thanks. I just wanted to be sure it was ISPConfig safe. I spent days trying to stop that stupid attack to no avail and that stupid bot doing 20+ requests per second always to BIND was just unacceptable and probably would have got me blacklisted.

I can't believe nobody else has had this issue before on these forums? It seems to be a newer attack, maybe that is why? Its hard to even detect this attack if you aren't looking for it in the logs. It doesn't cause any noticeable performance hit on my system or show up as an error in the logs, but being blacklisted because of it would be no fun.

Since I don't BIND at this time and its ISPConfig safe, I've gone ahead and disabled it:
Code:
chkconfig named off
I have two related questions:

rndc is still running and giving the error:
Code:
rndc: connect failed: 127.0.0.1#953: connection refused
Is it ISPConfig safe to also disable rndc?

Is it ISPConfig safe to just do a
Code:
yum remove bind
?
__________________
We are not equal
Reply With Quote
  #5  
Old 30th May 2013, 23:32
monkfish monkfish is offline
HowtoForge Supporter
 
Join Date: Mar 2013
Posts: 106
Thanks: 9
Thanked 15 Times in 14 Posts
 
Default

Perhaps you might like to use bind as a caching nameserver for your hosts use instead of service provider's dns servers?

May help with name resolution etc, if you do RBL lookups on incoming email, eg using spamassassin, and your dns request goes to your provider, you may find it gets blocked due to oversusbcription from host provider. Smaller volume requests from your own server may not be.

You might like to consider leaving named running, perhaps untick it in ispconfig. If you wanted to revert any settings possibly made by ispconfig, do a "yum reinstall bind" and if it creates /etc/named.conf.rpmnew from that install move it to named.conf. That way you have a stock install of bind as a caching name server which only responds to requests from the loopback address.

Check your /etc/resolv.conf and make sure you have

Code:
nameserver 127.0.0.1
nameserver alternatedns1
nameserver alternatedns2
then your machine will use localhost for name resolution.

Finally, in your firewall block incoming dns requests (udp, tcp port 53) from the outside world.

YMMV!
Reply With Quote
The Following User Says Thank You to monkfish For This Useful Post:
Eleven Cool (18th December 2013)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ubuntu Hardy chrooted bind9 fails to start Djamu Server Operation 35 21st April 2010 08:28
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 12:20
BIND version 9.5.0, under chroot /var/named/chroot terranet Tips/Tricks/Mods 0 17th July 2008 18:29
Problem on restart bind9 satimis Server Operation 6 30th October 2007 02:01
Bind-Chroot-Howto (Debian) spaz HOWTO-Related Questions 5 9th March 2006 14:50


All times are GMT +2. The time now is 22:09.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.