Hi,
I have some more information. I do a tcpdump of incoming packets of the sources
of request on udp 53 from external IPs :
08:29:32.482475 IP 195.176.219.26.62511 > MY.CACHE.DNS.domain: 12614+ PTR?
167.72.97.76.IN-ADDR.ARPA. (43)
08:29:34.333751 IP 195.176.219.26.25840 > MY.CACHE.DNS.domain: 1116+ PTR?
37.146.254.169.IN-ADDR.ARPA. (45)
08:29:42.699256 IP 195.176.219.26.31381 > MY.CACHE.DNS.domain: 21474+ PTR?
125.110.0.10.IN-ADDR.ARPA. (43)
08:29:53.516726 IP 195.176.219.26.57195 > MY.CACHE.DNS.domain: 24503+ PTR?
110.147.178.193.IN-ADDR.ARPA. (46)
08:29:53.915886 IP 195.176.219.26.45779 > MY.CACHE.DNS.domain: 2807+ PTR?
207.45.20.201.IN-ADDR.ARPA. (44)
08:29:54.232617 IP 195.176.219.26.38890 > MY.CACHE.DNS.domain: 6981+ PTR?
1.180.209.163.IN-ADDR.ARPA. (44)
Regards,
David Ulrich
---
e-mail: david.ulr...@siesa.ch
Phone: +41274511962
Sierre-Énergie SA
Rte de l'Industrie 29
CH-3960 Sierre
Le 19 août 2010 à 08:21, Ulrich David a écrit :
> Hi Jason and Robert,
>
> Sorry for my lack of details.
>
> My firewall has stateful inspection enabled for all port :
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> I permit all outgoing packet. The opened incoming ports are 22 tcp (for all
> IP), 53 tcp and udp (filtered for my clients IP - they have public IPs...
> so... -).
> I enable LOG for iptables but protect it against DoS. Doing this permit me to
> do some "inspection" :) .
>
> I have a BIND 9.4.3-P5 (running on a linux). It's last stable release on my
> distribution. query-source is not enabled. My configuration is very simple :
> options {
> directory "/var/bind";
> listen-on-v6 { none; };
> listen-on { any; };
>
> allow-query {
> local;
> my-clients;
> my-servers;
> my-private-network;
> };
>
> statistics-file "/var/bind/stats/named.stats";
> version "None of your business";
> blackhole { blacklist; };
> max-cache-size 0;
> recursive-clients 10000;
> pid-file "/var/run/named/named.pid";
> };
> I have some zone (in-addr.arpa, . , localhost). I have logging and controls
> block too.
> I can go up to 4000 queries/seconds (a lot of mailservers on my network).
>
> named is running well. But I have some problems with some perharps "bogus"
> authoritative dns (ns51.domaincontrol.com andns52.domaincontrol.com for
> example)... so I decided to see if it's not my configuration which has a
> problem.
>
> Regards,
>
> David
>
>
>
>
> Le 19 août 2010 à 04:23, Jason Roysdon a écrit :
>
>>
>> On 08/18/2010 02:42 PM, Ulrich David wrote:
>>> Hi,
>>>
>>> I'm using Bind as a cache (absolutely not authoritative) DNS for a public
>>> network. I have put a firewall in order to refuse incoming packets from
>>> people not on my network.
>>>
>>> Today, inspecting logs, I see this :
>>>
>>> Aug 18 17:31:44 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26
>>> DST=MY.CACHE.DNS LEN=69 TOS=00 PREC=0x00 TTL=120 ID=50785 CE PROTO=UDP
>>> SPT=56592 DPT=53 LEN=49
>>> Aug 18 17:31:48 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26
>>> DST=MY.CACHE.DNS LEN=59 TOS=00 PREC=0x00 TTL=120 ID=23374 PROTO=UDP
>>> SPT=57527 DPT=53 LEN=39
>>> Aug 18 17:31:51 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=207.38.104.93
>>> DST=MY.CACHE.DNS LEN=47 TOS=00 PREC=0x00 TTL=48 ID=48457 CE PROTO=UDP
>>> SPT=32779 DPT=53 LEN=27
>>> Aug 18 17:31:56 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26
>>> DST=MY.CACHE.DNS LEN=72 TOS=00 PREC=0x00 TTL=120 ID=38433 CE PROTO=UDP
>>> SPT=53494 DPT=53 LEN=52
>>> Aug 18 17:32:00 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=109.164.132.64
>>> DST=MY.CACHE.DNS LEN=60 TOS=00 PREC=0x00 TTL=112 ID=24658 PROTO=UDP
>>> SPT=51908 DPT=53 LEN=40
>>> Aug 18 17:32:04 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26
>>> DST=MY.CACHE.DNS LEN=69 TOS=00 PREC=0x00 TTL=120 ID=40178 CE PROTO=UDP
>>> SPT=48147 DPT=53 LEN=49
>>> Aug 18 17:32:08 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=213.3.5.3
>>> DST=MY.CACHE.DNS LEN=68 TOS=00 PREC=0x00 TTL=53 ID=15544 PROTO=UDP
>>> SPT=18967 DPT=53 LEN=48
>>>
>>> This traffic came from other DNS server in the world. As it's UDP I think
>>> of UDP queries going from my cache server to other DNS server, and I catch
>>> their UDP responses in the firewall. Is it possible?
>>>
>>> So I should open my firewall for UDP on port 53 for all the world?
>>>
>>> Regards,
>>>
>>> David
>>
>>
>> David,
>>
>> First, double-check that you're on a current BIND release. Second,
>> check that your named.conf doesn't have "query-source" bound to port 53.
>> It's bad to always source your queries from port 53, as it allows your
>> cache to get bogus spoofed replies from systems you aren't asking
>> queries of.
>>
>> Provided that you are running a recent version of BIND, and that you are
>> configuring your named.conf to query from port 53, your DNS server
>> should be sending out UDP queries from random, high-numbered ephemeral
>> ports. See the Wikipedia article on this, which discusses Linux port
>> defaults vs. IANA recommended port range, etc. (as I'm typing this while
>> offline). Your server should be sourcing from those random,
>> high-numbered ephemeral ports to remote DNS servers' udp/53. Their
>> queries should come back from their same udp/53 source to your same
>> original high-numbered ephemeral port.
>>
>> As you should be sending UDP queries from high-numbered ports, and your
>> queries are never going to originate from udp/53, so you should never
>> get replies destined for your udp/53.
>>
>> You should absolutely not open your firewall to queries from UDP/53 as
>> it is not authoritative and is not an open dns resolving server for the
>> Internet (or if it was, you shouldn't be asking questions on here how to
>> secure it).
>>
>> I would configure your firewall to -j DROP and not first -j LOG these
>> packets. No need filling up your syslog with bogus queries.
>>
>> My guess is that there are some poorly configured remote firewalls.
>>
>> Jason Roysdon
>> http://jason.roysdon.net/
>> _______________________________________________
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
