On 13.01.21 10:21, Alessandro Vesely wrote:
I'm getting lots of log lines like the following:
Jan 12 04:35:18 30 north named[22233]: client @0x7fe0fc2a3b80 74.74.74.8#24048
(.): view external: query failed (REFUSED) for ./IN/ANY at
../../../bin/named/query.c:7144
Jan 12 04:35:18 30 north named[22233]: client @0x7fe0fc2784d0 74.74.74.8#24048
(.): view external: query failed (REFUSED) for ./IN/ANY at
../../../bin/named/query.c:7144
Jan 12 04:35:27 30 north named[22233]: client @0x7fe0fc2953f0 74.74.74.8#57620
(.): view external: query failed (REFUSED) for ./IN/ANY at
../../../bin/named/query.c:7144
Is that meant to be a DoS attack?
most probably.
Yesterday I got 42639 of those, from 41 different IPs, the most frequent
clients looking like so:
821-north:~$ sed -rn 's/^.{15} 30 north named[^:]*: client @0x[0-91-f]*
([0-9.]*)#[0-9]* ...: view external: query failed .REFUSED. for ..IN.ANY at
.........bin.named.query.c:7144/\1/p' < /var/log/daemon.log.0 |sort |uniq -c
|sort -rn |head
4957 68.42.225.19
2914 73.73.73.73
2868 24.21.125.251
2783 193.70.81.112
2440 73.73.3.73
2273 101.71.138.9
2032 74.74.74.8
1814 98.25.235.45
1785 209.94.134.20
1756 73.109.143.81
I looked up some of these on AbuseIPDB, and I see there are a few people
reporting them for the same DDoS.
can be ddos attempt on those IPs.
Are the queries refused because of the dot (.)? In the query log, I also
found some 28 IN ANY queries from 7 IPs for xxx.at.fragolina.it, which
probably got away with a NXDOMAIN.
no. the dot is just the root domain.
This morning, queries for IN ANY are filling up a 63% of total queries.
Named seems to be pretty quick at discarding them. I'm wondering whether
it takes more resources to track and firewall those IPs or just ignore
them.
fail2ban should help not to see those messages
I'd be also curious of what they are after. Is there a protest against RFC
8482? It looks pretty nonsensical. Any insight?
often, nameservers respond with list of delegations for this query:
% dig +noall +stats -t any . @localhost
;; Query time: 17 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 13 11:01:08 CET 2021
;; MSG SIZE rcvd: 2272
this way, server will respond with >2KB packet which may flood the
destination IP.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
% dig +noall +stats -t any . @localhost
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users