loads of Query denied... is it an attack or a misconfiguration ?
Hi, I can see in my secondary DNS server a lot of logs with query(cache) denied from the same ip. I've traceroute one of them which seems to be a russian computer. * * 17 ns1.orlan-net.ru (195.68.176.4) 136.563 ms * * Feb 11 00:21:49 ns1 named[13392]: client 195.68.176.4#59934: query (cache) './NS/IN' denied Feb 11 00:21:49 ns1 named[13392]: client 195.68.176.4#23591: query (cache) './NS/IN' denied Feb 11 00:21:53 ns1 named[13392]: client 195.68.176.4#54430: query (cache) './NS/IN' denied Feb 11 00:21:53 ns1 named[13392]: client 195.68.176.4#46875: query (cache) './NS/IN' denied Feb 11 00:21:55 ns1 named[13392]: client 195.68.176.4#43603: query (cache) './NS/IN' denied Feb 11 00:21:56 ns1 named[13392]: client 195.68.176.4#27124: query (cache) './NS/IN' denied Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#14844: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#11936: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#5777: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#64647: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#41115: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#6712: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:21:59 ns1 named[13392]: client 195.68.176.4#38402: query (cache) './NS/IN' denied Feb 11 00:21:59 ns1 named[13392]: client 195.68.176.4#59205: query (cache) './NS/IN' denied Feb 11 00:22:01 ns1 named[13392]: client 195.68.176.4#36863: query (cache) './NS/IN' denied Feb 11 00:22:02 ns1 named[13392]: client 195.68.176.4#51511: query (cache) './NS/IN' denied Feb 11 00:22:03 ns1 named[13392]: client 62.193.206.134#50013: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:22:03 ns1 named[13392]: client 62.193.206.134#43818: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:22:03 ns1 named[13392]: client 62.193.206.134#10674: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:22:05 ns1 named[13392]: client 195.68.176.4#61345: query (cache) './NS/IN' denied Feb 11 00:22:05 ns1 named[13392]: client 195.68.176.4#5707: query (cache) './NS/IN' denied Feb 11 00:22:06 ns1 named[13392]: client 62.193.206.235#53811: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:22:06 ns1 named[13392]: client 62.193.206.235#53504: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:22:06 ns1 named[13392]: client 62.193.206.235#24805: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:22:07 ns1 named[13392]: client 195.68.176.4#50225: query (cache) './NS/IN' denied Feb 11 00:22:08 ns1 named[13392]: client 195.68.176.4#27039: query (cache) './NS/IN' denied Feb 11 00:22:08 ns1 named[13392]: client 195.68.176.4#47331: query (cache) './NS/IN' denied Feb 11 00:22:12 ns1 named[13392]: client 195.68.176.4#53740: query (cache) './NS/IN' denied Feb 11 00:22:12 ns1 named[13392]: client 195.68.176.4#53988: query (cache) './NS/IN' denied Feb 11 00:22:12 ns1 named[13392]: client 62.193.206.133#1995: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Is it a misconfiguration of my dns Server (which passes french nic test so...) or an attack or something else ? Is there anything I should do ? Regards, Thomas. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
Please go read the list achives. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
In message f43eb7e60902101552l524787b1t72fcc821437af...@mail.gmail.com, Thoma s Manson writes: The subject matter has been discussed in lots of detail over the last month. Go read the archives of the mailing list. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
That's some awesome answer... (did you get helped to elaborate it?) equivalent : google is your friend, search the RFCs Then... read the list archives... I guess I can spend the next ten years if I read it from the beginning Could you give any clue of what to look for ? I believed I was on bind mailing list, a mailing list is where you usually get some help... isn't it ? Thomas. On Wed, Feb 11, 2009 at 00:52, Thomas Manson dev.mansontho...@gmail.comwrote: On Wed, Feb 11, 2009 at 00:51, Mark Andrews mark_andr...@isc.org wrote: Please go read the list achives. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
In message f43eb7e60902101621y66133c17lc46a1df451f1b...@mail.gmail.com, Thoma s Manson writes: --00163646c41c20dc350462999600 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit That's some awesome answer... (did you get helped to elaborate it?) equivalent : google is your friend, search the RFCs Feeding the error message into Google would have given you lots of relevent information. query (cache) './NS/IN' denied I didn't want to start yet another debate about what is the right thing to do. Mark Then... read the list archives... I guess I can spend the next ten years if I read it from the beginning Could you give any clue of what to look for ? I believed I was on bind mailing list, a mailing list is where you usually get some help... isn't it ? Thomas. On Wed, Feb 11, 2009 at 00:52, Thomas Manson dev.mansontho...@gmail.comwrot e: On Wed, Feb 11, 2009 at 00:51, Mark Andrews mark_andr...@isc.org wrote: Please go read the list achives. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org --00163646c41c20dc350462999600 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable That#39;s some awesome answer... (did you get helped to elaborate it?)br= brequivalent : google is your friend, search the RFCsbrbrThen... read= the list archives... I guess I can spend the next ten years if I read it f= rom the beginningbr brCould you give any clue of what to look for ? brbrI believed I was = on bind mailing list, a mailing list is where you usually get some help... = isn#39;t it ?brbrThomas.brbrdiv class=3Dgmail_quoteOn Wed, Feb= 11, 2009 at 00:52, Thomas Manson span dir=3Dltrlt;a href=3Dmailto:d= ev.mansontho...@gmail.comdev.mansontho...@gmail.com/agt;/span wrote:= br blockquote class=3Dgmail_quote style=3Dborder-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;divdiv/d= ivdiv class=3DWj3C7cbrbrdiv class=3Dgmail_quoteOn Wed, Feb 11,= 2009 at 00:51, Mark Andrews span dir=3Dltrlt;a href=3Dmailto:Mark_A= ndr...@isc.org target=3D_blankmark_andr...@isc.org/agt;/span wrote= :br blockquote class=3Dgmail_quote style=3Dborder-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex; br nbsp; nbsp; nbsp; nbsp;Please go read the list achives.br br nbsp; nbsp; nbsp; nbsp;Markbr font color=3D#88--br Mark Andrews, ISCbr 1 Seymour St., Dundas Valley, NSW 2117, Australiabr PHONE: +61 2 9871 4742 nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nb= sp; INTERNET: a href=3Dmailto:mark_andr...@isc.org; target=3D_blankMar= k_andr...@isc.org/abr /font/blockquote/divbr /div/div/blockquote/divbr --00163646c41c20dc350462999600-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
someone answers me, you could just have say search reflector DoS attack in the archive list, this would have narrow down a lot my research. I'll temporray block the ip on my firewall On Wed, Feb 11, 2009 at 01:21, Mark Andrews mark_andr...@isc.org wrote: In message f43eb7e60902101552l524787b1t72fcc821437af...@mail.gmail.com, Thoma s Manson writes: The subject matter has been discussed in lots of detail over the last month. Go read the archives of the mailing list. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users