El 17/4/19 a las 10:56, Alberto José García Fumero escribió:
> El mié, 17-04-2019 a las 07:28 -0400, Jose Joaquin Ruiz Silva escribió:
>> Hola amigos de la lista mira tengo este problema que me esta diciendo
>> en
>> el log. Segun el administrador de mi red nacional dice que la Osri
>> le
>> dijo que eso es un virus
>>
>> 01-Jun-2018 22:22:53.646 edns-disabled: info: success resolving
>> 'tar.kziu0tpofwf.club/A' (in 'club'?) after disabling EDNS
>>
>> Pero yo escaneo la maquina y no encuentra nada
>>
>> Tengo el servidor de dominio con samba4 y bind9 compilados en debian
>> 9
>> pero el servidor que esta haciendo esa peticion es en Windows Server
>> 2008 R2 porque es el servidor del versat. Como pudiera resilver esto.
>>
>> Saludos.
>>
>>
>> 01-Jun-2018 21:59:34.190 update: info: client @0x7f8eac0a8aa0
>> 172.17.9.39#51167/key LENOVO\$\@FAG.REDUIM.CU: updating zone
>> 'fag.reduim.cu/NONE': update failed: rejected by secure update
>> (REFUSED)
>> 01-Jun-2018 21:59:34.190 database: info: samba_dlz: cancelling
>> transaction on zone fag.reduim.cu
>> 01-Jun-2018 22:00:30.116 edns-disabled: info: success resolving
>> '157.9.141.220.in-addr.arpa/PTR' (in '220.in-addr.arpa'?) after
>> disabling EDNS
>> 01-Jun-2018 22:02:47.833 edns-disabled: info: success resolving
>> '211.5.104.112.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
>> EDNS
>> 01-Jun-2018 22:03:02.961 edns-disabled: info: success resolving
>> '211.110.115.59.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after
>> disabling EDNS
>> 01-Jun-2018 22:03:20.881 edns-disabled: info: success resolving
>> '58.121.166.218.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after
>> disabling EDNS
>> 01-Jun-2018 22:05:07.166 edns-disabled: info: success resolving
>> '135.76.105.112.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after
>> disabling EDNS
>> 01-Jun-2018 22:07:48.280 edns-disabled: info: success resolving
>> '114.104.19.81.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
>> EDNS
>> 01-Jun-2018 22:07:48.375 edns-disabled: info: success resolving
>> '117.104.19.81.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
>> EDNS
>> 01-Jun-2018 22:10:13.181 edns-disabled: info: success resolving
>> 'redirect.geo.kaspersky.com/A' (in 'geo.kaspersky.com'?) after
>> disabling
>> EDNS
>> 01-Jun-2018 22:15:35.428 edns-disabled: info: success resolving
>> '1.31.236.200.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
>> EDNS
>> 01-Jun-2018 22:17:51.565 edns-disabled: info: success resolving
>> '152.226.216.52.in-addr.arpa/PTR' (in '52.in-addr.arpa'?) after
>> disabling EDNS
>> 01-Jun-2018 22:21:44.083 edns-disabled: info: success resolving
>> '27.84.37.114.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
>> EDNS
>> 01-Jun-2018 22:22:40.223 edns-disabled: info: success resolving
>> '189.50.55.65.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
>> EDNS
>> 01-Jun-2018 22:22:53.646 edns-disabled: info: success resolving
>> 'tar.kziu0tpofwf.club/A' (in 'club'?) after disabling EDNS
>> 01-Jun-2018 22:24:10.634 edns-disabled: info: success resolving
>> '114.104.19.81.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
>> EDNS
>> 01-Jun-2018 22:24:34.495 edns-disabled: info: success resolving
>> '211.30.12.85.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
>> EDNS
>> 01-Jun-2018 22:24:35.212 edns-disabled: info: success resolving
>> '114.114.231.54.in-addr.arpa/PTR' (in '54.in-addr.arpa'?) after
>> disabling EDNS
>> 01-Jun-2018 22:26:57.610 edns-disabled: info: success resolving
>> '213.96.104.112.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after
>> disabling EDNS
>> 01-Jun-2018 22:27:40.336 edns-disabled: info: success resolving
>> '4.104.121.158.in-addr.arpa/PTR' (in 'in-addr.arpa'?) after disabling
>> EDNS
>> 01-Jun-2018 22:28:00.121 database: info: samba_dlz: starting
>> transaction
>> on zone fag.reduim.cu
>>
>> _______________________________________________
>>
> Dentro de mi súper limitado alcance en estos temas, no se trata de
> virus. (Doy por descontado que esa máquina Windows tiene puesto un
> antivirus) sino de una dificultad con el tamaño de los paquetes UDP del
> DNS. O el cortafuegos no deja pasar paquetes más grandes que 512 bytes.
> O el Server 2008 RC2 no acepta el tipo de paquetes que manda el BIND y
> el BIND pasa a mandar paquetes reducidos (porque tu Bind estoy seguro
> de que es más nuevo que ese server...).
>
> Podrías probar a poner una directiva server como se indica en estas
> documentaciones que te cito más abajo. Esta documentación te dará
> (espero) más detalles. perdona que esté en inglés. Te la traduciría si
> tuviera tiempo, pero estoy "cogido" con el tiempo.
>
> *************************
>
> It is possible to disable sending the EDNS Cookie option by creating a
> server { } directive in your named.conf file with send-cookie no;
>
> See also https://ednscomp.isc.org/ where there's more information about
> EDNS (non-)compliance and a compliance testing tool.
>
>
> ****************
>
> Things I never knew about DNS – EDNS
> We run a few internal and external DNS servers in the company I work
> for. Keeping them up to date is something we must do each year to keep
> one step ahead of any exploits discovered. I find that upgrading each
> version of BIND I learn something new about it. The documentation is
> not impressive to say the least!
>
> One new thing I learned was EDNS – Extended Mechanisms for DNS. I
> discovered this new (to me) option as I finished installing and
> configuring BIND, I enabled verbose logging to test some DNS queries. I
> found that some queries were abit slow to begin with. I checked the log
> file for messages and discovered plenty of these messages:
> edns-disabled: info: success resolving
> 'ns6.netnorth.net/AAAA' (in 'netnorth.net'?) after reducing the
> advertised EDNS UDP packet size to 512 octets
>
> So what is EDNS? Well first I have to tell you about ordinary DNS.
> Typical DNS UDP packets come with a maximum 512 octets in size.
> Anything more than that will be rejected or fragmented depending on
> your firewall. But EDNS on the otherhand carries more information and
> allows for a packet size up to 4026 octets. The reason for this (in
> RFC2671) is: “Many of DNS’s protocol limits are too small for uses
> which are or which are desired to become common. There is no way for
> implementations to advertise their capabilities.” So new versions of
> BIND and whatever DNS software you use will support EDNS. What will
> happen is that when we send a DNS request to a DNS server by default
> the label type will be set to ’01′ which means “extended label type”.
> The DNS server recieves this request and replies with either a normal
> 512 octet packet if it does not support EDNS yet or replies with an
> EDNS packet of up to 4096 octets. The problem we saw was that our
> firewall only accepted DNS packets of size 512 octets. Anything above
> that was discarded or attempted to fragment. To resolve this instead of
> turning off EDNS on our server I asked our network engineers to allow
> DNS packets through the network of up to 4096 octets in size. As soon
> as this was implemented the messages disappeared from the log file and
> DNS resolving was much faster.
>
> Some handy links:
>
> RFC: http://tools.ietf.org/html/rfc2671
>
> BIND: http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html
>
> edns-udp-size
> edns-udp-size sets the advertised EDNS UDP buffer size. Valid values
> are 512 to 4096 (values outside this range will be silently adjusted).
> The default value is 4096. The usual reason for setting edns-udp-size
> to a non default value it to get UDP answers to pass through broken
> firewalls that block fragmented packets and/or block UDP packets that
> are greater than 512 bytes.”
>
no permitas la recursividad a ningún host en tu red que no sea
explícitamente necesario que tenga que salir al exterior. Es la primera
medida que debes tener en tu red-- Arian Molina Aguilera Administrador de Redes y Servicios Telemáticos Linux Usuario Registrado #392892 Telfs: +53(7)696-7510 ext 236 email: linuxc...@teknik.io “Nunca consideres el estudio como una obligación, sino como una oportunidad para penetrar en el bello y maravilloso mundo del saber. Albert Einstein”
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gutl-l mailing list -- gutl-l@listas.jovenclub.cu To unsubscribe send an email to gutl-l-le...@listas.jovenclub.cu
