El mié, 17-04-2019 a las 07:28 -0400, Jose Joaquin Ruiz Silva escribió:
> Hola amigos de la lista mira tengo este problema que me esta diciendo
> en
> el log. Segun el administrador de mi red nacional dice que la Osri
> le
> dijo que eso es un virus
>
> 01-Jun-2018 22:22:53.646 edns-disabled: info: success resolving
> 'tar.kziu0tpofwf.club/A' (in 'club'?) after disabling EDNS
>
> Pero yo escaneo la maquina y no encuentra nada
>
> Tengo el servidor de dominio con samba4 y bind9 compilados en debian
> 9
> pero el servidor que esta haciendo esa peticion es en Windows Server
> 2008 R2 porque es el servidor del versat. Como pudiera resilver esto.
>
> Saludos.
>
>
> 01-Jun-2018 21:59:34.190 update: info: client @0x7f8eac0a8aa0
> 172.17.9.39#51167/key LENOVO\$\@FAG.REDUIM.CU: updating zone
> 'fag.reduim.cu/NONE': update failed: rejected by secure update
> (REFUSED)
> 01-Jun-2018 21:59:34.190 database: info: samba_dlz: cancelling
> transaction on zone fag.reduim.cu
> 01-Jun-2018 22:00:30.116 edns-disabled: info: success resolving
> '157.9.141.220.in-addr.arpa/PTR' (in '220.in-addr.arpa'?) after
> disabling EDNS
> 01-Jun-2018 22:02:47.833 edns-disabled: info: success resolving
> '211.5.104.112.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
> EDNS
> 01-Jun-2018 22:03:02.961 edns-disabled: info: success resolving
> '211.110.115.59.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after
> disabling EDNS
> 01-Jun-2018 22:03:20.881 edns-disabled: info: success resolving
> '58.121.166.218.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after
> disabling EDNS
> 01-Jun-2018 22:05:07.166 edns-disabled: info: success resolving
> '135.76.105.112.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after
> disabling EDNS
> 01-Jun-2018 22:07:48.280 edns-disabled: info: success resolving
> '114.104.19.81.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
> EDNS
> 01-Jun-2018 22:07:48.375 edns-disabled: info: success resolving
> '117.104.19.81.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
> EDNS
> 01-Jun-2018 22:10:13.181 edns-disabled: info: success resolving
> 'redirect.geo.kaspersky.com/A' (in 'geo.kaspersky.com'?) after
> disabling
> EDNS
> 01-Jun-2018 22:15:35.428 edns-disabled: info: success resolving
> '1.31.236.200.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
> EDNS
> 01-Jun-2018 22:17:51.565 edns-disabled: info: success resolving
> '152.226.216.52.in-addr.arpa/PTR' (in '52.in-addr.arpa'?) after
> disabling EDNS
> 01-Jun-2018 22:21:44.083 edns-disabled: info: success resolving
> '27.84.37.114.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
> EDNS
> 01-Jun-2018 22:22:40.223 edns-disabled: info: success resolving
> '189.50.55.65.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
> EDNS
> 01-Jun-2018 22:22:53.646 edns-disabled: info: success resolving
> 'tar.kziu0tpofwf.club/A' (in 'club'?) after disabling EDNS
> 01-Jun-2018 22:24:10.634 edns-disabled: info: success resolving
> '114.104.19.81.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
> EDNS
> 01-Jun-2018 22:24:34.495 edns-disabled: info: success resolving
> '211.30.12.85.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
> EDNS
> 01-Jun-2018 22:24:35.212 edns-disabled: info: success resolving
> '114.114.231.54.in-addr.arpa/PTR' (in '54.in-addr.arpa'?) after
> disabling EDNS
> 01-Jun-2018 22:26:57.610 edns-disabled: info: success resolving
> '213.96.104.112.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after
> disabling EDNS
> 01-Jun-2018 22:27:40.336 edns-disabled: info: success resolving
> '4.104.121.158.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
> EDNS
> 01-Jun-2018 22:28:00.121 database: info: samba_dlz: starting
> transaction
> on zone fag.reduim.cu
>
> _______________________________________________
>
Dentro de mi súper limitado alcance en estos temas, no se trata de
virus. (Doy por descontado que esa máquina Windows tiene puesto un
antivirus) sino de una dificultad con el tamaño de los paquetes UDP del
DNS. O el cortafuegos no deja pasar paquetes más grandes que 512 bytes.
O el Server 2008 RC2 no acepta el tipo de paquetes que manda el BIND y
el BIND pasa a mandar paquetes reducidos (porque tu Bind estoy seguro
de que es más nuevo que ese server...).
Podrías probar a poner una directiva server como se indica en estas
documentaciones que te cito más abajo. Esta documentación te dará
(espero) más detalles. perdona que esté en inglés. Te la traduciría si
tuviera tiempo, pero estoy "cogido" con el tiempo.
*************************
It is possible to disable sending the EDNS Cookie option by creating a
server { } directive in your named.conf file with send-cookie no;
See also https://ednscomp.isc.org/ where there's more information about
EDNS (non-)compliance and a compliance testing tool.
****************
Things I never knew about DNS – EDNS
We run a few internal and external DNS servers in the company I work
for. Keeping them up to date is something we must do each year to keep
one step ahead of any exploits discovered. I find that upgrading each
version of BIND I learn something new about it. The documentation is
not impressive to say the least!
One new thing I learned was EDNS – Extended Mechanisms for DNS. I
discovered this new (to me) option as I finished installing and
configuring BIND, I enabled verbose logging to test some DNS queries. I
found that some queries were abit slow to begin with. I checked the log
file for messages and discovered plenty of these messages:
edns-disabled: info: success resolving
'ns6.netnorth.net/AAAA' (in 'netnorth.net'?) after reducing the
advertised EDNS UDP packet size to 512 octets
So what is EDNS? Well first I have to tell you about ordinary DNS.
Typical DNS UDP packets come with a maximum 512 octets in size.
Anything more than that will be rejected or fragmented depending on
your firewall. But EDNS on the otherhand carries more information and
allows for a packet size up to 4026 octets. The reason for this (in
RFC2671) is: “Many of DNS’s protocol limits are too small for uses
which are or which are desired to become common. There is no way for
implementations to advertise their capabilities.” So new versions of
BIND and whatever DNS software you use will support EDNS. What will
happen is that when we send a DNS request to a DNS server by default
the label type will be set to ’01′ which means “extended label type”.
The DNS server recieves this request and replies with either a normal
512 octet packet if it does not support EDNS yet or replies with an
EDNS packet of up to 4096 octets. The problem we saw was that our
firewall only accepted DNS packets of size 512 octets. Anything above
that was discarded or attempted to fragment. To resolve this instead of
turning off EDNS on our server I asked our network engineers to allow
DNS packets through the network of up to 4096 octets in size. As soon
as this was implemented the messages disappeared from the log file and
DNS resolving was much faster.
Some handy links:
RFC: http://tools.ietf.org/html/rfc2671
BIND: http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html
edns-udp-size
edns-udp-size sets the advertised EDNS UDP buffer size. Valid values
are 512 to 4096 (values outside this range will be silently adjusted).
The default value is 4096. The usual reason for setting edns-udp-size
to a non default value it to get UDP answers to pass through broken
firewalls that block fragmented packets and/or block UDP packets that
are greater than 512 bytes.”
--
M.Sc. Alberto García Fumero
Usuario Linux 97 138, registrado 10/12/1998
http://interese.cubava.cu
No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo
que pones en esas horas.
_______________________________________________
Gutl-l mailing list -- gutl-l@listas.jovenclub.cu
To unsubscribe send an email to gutl-l-le...@listas.jovenclub.cu
