Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Yes I have a wonderful script doing that for SSH but not for iptables. For Bind, I must say that this problem appears 2-3 times a month, I can therefore manage it manually for the moment... Denis Le 04.08.2010 14:36, Sten Carlsen a écrit : You may want to consider how to trigger removal of this blocking when the problem has gone away and the address is again used responsibly. Maybe add a log statement with a limitation of one per day and checking that this is no longer seen for some time? IPTABLES can do the logging. On 04/08/10 11:00, Denis BUCHER wrote: Le 03.08.2010 21:25, Kevin Darcy a écrit : I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does not look to be working. This was pefect : iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP I'm no iptables experts, but doesn't that only apply to TCP packets? Dear Kevin, Yes sorry, in fact I also should add a rule for UDP : iptables -I INPUT 3 -p udp -s 202.152.172.4 --dport 53 -j DROP Or : (all ports) iptables -I INPUT 3 -s 202.152.172.4 -j DROP Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Le 03.08.2010 21:25, Kevin Darcy a écrit : I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does not look to be working. This was pefect : iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP I'm no iptables experts, but doesn't that only apply to TCP packets? Dear Kevin, Yes sorry, in fact I also should add a rule for UDP : iptables -I INPUT 3 -p udp -s 202.152.172.4 --dport 53 -j DROP Or : (all ports) iptables -I INPUT 3 -s 202.152.172.4 -j DROP Thanks a lot ! Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange IPv6 messages [SOLVED]
Dear all, Le 02.08.2010 23:43, Denis BUCHER a écrit : I have a simple question, when reloading Bind, I get these messages, and later on in the logs, the transfer seems to work with IPv4. Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving '(host)/A/IN': 2001:620::4#53 Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving '(host)/A/IN': 2001:418:1::39#53 What should I do to avoid these messages, and why are they appearing ? We have BIND 9.5.1-P2 I got many private and public replies so I will briefly summarize the answers and the solution : At first, the problem comes from the fact that Bind is using IPv6 while our system and network don't use IPv6 at all. Therefore the solution is to remove IPv6 support from Bind. That's easy, an option -4 (IPv4 only) had to be added at startup. I added OPTIONS=-4 to /etc/sysconfig/named and now it doesn't complain anymore about IPv6 :-) Thanks a lot to everyone Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Dear all, I have a question, it's not really a big problem, but it's annoying. In the logs I get plenty of lines like : client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s) This seems to be due to a script-kiddie. I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Currently it is working for sshd on this server to add lines in /etc/hosts.allow, but I would like to know if it would be possible for bind : sshd: 121.14.195.176: DENY # uname -a Linux (host) 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686 i386 GNU/Linux # cat /etc/redhat-release Fedora release 9 (Sulphur) Thanks a lot in advance for any help... And sorry if this is not 100% on topic, I know it's at the border between BIND and OS... Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Script-kiddie : client IP query (cache) 'host/MX/IN' denied
Dear all, I have a question, it's not really a big problem, but it's annoying. In the logs I get plenty of lines like : client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s) This seems to be due to a script-kiddie. I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Currently it is working for sshd on this server to add lines in /etc/hosts.allow, but I would like to know if it would be possible for bind : sshd: 121.14.195.176: DENY # uname -a Linux (host) 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686 i386 GNU/Linux # cat /etc/redhat-release Fedora release 9 (Sulphur) Thanks a lot in advance for any help... And sorry if this is not 100% on topic, I know it's at the border between BIND and OS... Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Dear Lyle, Le 03.08.2010 18:17, Lyle Giese a écrit : I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does not look to be working. This was pefect : iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP Thanks a lot for your help Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Le 03.08.2010 18:28, wllarso a écrit : This seems to be due to a script-kiddie. I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? And sorry if this is not 100% on topic, I know it's at the border between BIND and OS... On topic question. Don't worry. You could always use the blackhole directive in the BIND configuration to avoid responding to this address. Do you think it is better or equal to the firewall solution ? This will prevent your server from responding to queries from this address. See the BIND ARM for more info about how to use this. The problem is that this solution would prevent a DNS server at this address from querying your server for legitimate purposes. (Quickly, this address doesn't appear to be running a DNS server at the moment.) Yes ;-) Then again, if you are running a firewall on your server (or in front of it), you could always block traffic from this address as an alternative too. This way your DNS server would never even see these queries to have to block. Yes, that's what I did for the moment... But as a more complete solution, is this an authoritative server for some zone(s) that you are responsible for, or is this a recursive server for your customers? It is a authoritative server for some domains, yes... If it is an authoritative server, then you should have it configured to not answer recursive queries for everyone in the world. Yes that would be interesting, does it means that only authoritative zones would be allowed in queries ? In fact it seems it does not answer any query, as in the logs it says denied. Am I right on this point or not ? If it is a recursive server, then you should be limiting who can query it and not respond to non-authorized queries. You can use the BIND view to limit who is getting what from your server. Your logs indicate this this query was denied, so you may already have your server configured to not answer these queries from this address, so the last paragraph may not apply. Ok But, it is worth looking at your configuration just to confirm your server is reasonably configured. Ok I will check for that... Thanks a lot for your advices, it makes things a little clearer for me now :-) Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Strange IPv6 messages
Dear all, I have a simple question, when reloading Bind, I get these messages, and later on in the logs, the transfer seems to work with IPv4. Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving '(host)/A/IN': 2001:620::4#53 Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving '(host)/A/IN': 2001:418:1::39#53 What should I do to avoid these messages, and why are they appearing ? We have BIND 9.5.1-P2 Thanks a lot for any help :-) Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
