Re: loads of Query denied... is it an attack or a misconfiguration ?
On Wed, Feb 11, 2009 at 01:21:35AM +0100, Thomas Manson dev.mansontho...@gmail.com wrote a message of 88 lines which said: I believed I was on bind mailing list, a mailing list is where you usually get some help... isn't it ? You're right, it's a shame. Ask immediately for a refund, both for your registration to the mailing list and for BIND itself. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
On Wed, Feb 11, 2009 at 01:35:31AM +0100, Thomas Manson dev.mansontho...@gmail.com wrote a message of 80 lines which said: I'll temporray block the ip on my firewall Very bad idea, since it is forged. You do exactly what the attacker wanted you to do. The proper thing to do is: https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
Well... I'll temporray block the ip on my firewall Very bad idea, since it is forged. You do exactly what the attacker wanted you to do. The proper thing to do is: https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful this is kind of response I expect : an answer of someone who know the subject to a person who doesn't... In this case, I could do nothing (and let the attack be done) or, doing things wrong that amplify the attack. Is it something everyone would want? If so, just tell me, I'll setup DoS attack myself, if it's in the general interest ! Please go read the list achives. this encourage to do nothing : I've a working system (my domain name are resolved accross the internet) why care more ? and then let the dns system get attacked... great... On Wed, Feb 11, 2009 at 08:59, Stephane Bortzmeyer bortzme...@nic.frwrote: On Wed, Feb 11, 2009 at 01:21:35AM +0100, Thomas Manson dev.mansontho...@gmail.com wrote a message of 88 lines which said: I believed I was on bind mailing list, a mailing list is where you usually get some help... isn't it ? You're right, it's a shame. Ask immediately for a refund, both for your registration to the mailing list and for BIND itself. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
An intelligently designed firewall rule that drops the incoming requests isn't doing exactly what the attacker wants. It's the opposite. The main effect of forged lookups is a response flood. And so it is also intended to flood the victim with overwhelming amounts of DNS responses. It, like any solution, is a two edged blade. Allowing all the responses to flow back to the victim floods them. Dropping the incoming request prevents that but it also prevents them from doing lookups on your nameserver for domains that you are authoritative for. So if you drop all these forged queries to your authoritative nameservers save one or two, the victim will get less traffic, and still be able to do lookups - they'll just take a wee bit longer on average. If your nameserver is only getting one or two of these every several minutes, then your impact on the victim is insignificant and you need not take any action - assuming your BIND configuration is proper. However if you happen to be a fat target and you're getting dozens or hundreds of these per second, then you're having a significant impact on the victim and that particular server should do some filtering. Firewalls are smart these days. It's entirely possible to do some deep packet inspection and drop only the . requests, and/or do rate limiting. The only firewalls left that can't do this are ancient beasts that have too many layers of dust on them. So in addition to ensuring your BIND configuration is setup properly to refuse upward referrals, recursion, answers from cache to strangers so forth and so on, it is also important to judiciously apply firewall rules. There can be more than one proper thing to do. -d Stephane Bortzmeyer wrote: On Wed, Feb 11, 2009 at 01:35:31AM +0100, Thomas Manson dev.mansontho...@gmail.com wrote a message of 80 lines which said: I'll temporray block the ip on my firewall Very bad idea, since it is forged. You do exactly what the attacker wanted you to do. The proper thing to do is: https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful -- Linux: freedom to build is good Please top-post and trim when replying to my messages. I most often read mail on a small device. VERY NOT-IMPORTANT NOT-LEGAL NOTICES: Recalling a message does in no way delete it from my computer. Rather, it brings attention to your original email and recalling it causes me to search for a reason to find embarrassment. Please don't send message recall messages. It's silly and obnoxious and wastes even more bandwidth and patience. Regardless of what legal message you append to your email message, I am not obligated or constrained in any way shape or form. If I feel like printing it outand taping it up at the local gym, or mass mailing it to 15,000 people, I will. I feel especially inclined to do so the longer your legal advisory is. Such notices are unenforceable and do not protect you or your company from things you say, or things others do with the email. Millions of innocent men, women and children, since the introduction of Christianity, have been burnt, tortured, fined, imprisoned; yet we have not advancedone inch towards uniformity. What has been the effect of coercion? To make half the world fools, and the other half hypocrites. --Thomas Jefferson This message is confidential to the Internet at large, unless otherwise indicated or apparent from its nature. It may not be reproduced on Mars unless it has previously been printed on Uranus. This message is directed to the intended recipient only (usually everyone, but sometimes nobody and once in a blue moon, just somebody), who may be readily determined by the sender of this message and its contents. This email message (including any attachments) is not for the sole use of the intended recipient(s) and may or may not contain confidential, proprietary and privileged information. It may include sarcastic holier than tho content. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient: (a) any dissemination or copying of this message is strictly prohibited unless you feel otherwise; and (b) immediately notify the sender by return message (but only if the sun has gone black) and de stroy any copies of this message in any form (electronic, paper or carved in stone) that you have. Please destroy by smashing your computer with a 21lb sledge hammer approximately 17 times to ensure destruction of your system. Any unauthorized review, use, disclosure or distribution is most assuredly not prohibited and you will not IMMEDIATELY be PROSECUTED to the fullest ... or emptiest ... extent of the law. If you are not the intended recipient, please immediately notify some random person of your age, sex, and location and your undying desire to fornicate with them by email and destroy all copies of the original message if you sent it to an
RE: loads of Query denied... is it an attack or a misconfiguration ?
I've been aware of this problem since it first came up on this and nanog's list, but I'm having some configuration issues trying to make the upward referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing the NS queries being answered in the log: 11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view external-in: query: . IN NS + 11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view external-in: query: ox.com IN NS -EDC 11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view external-in: query: . IN NS + 11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view external-in: query: ox.com IN NS -EDC 11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view external-in: query: . IN NS + 11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view external-in: query: . IN NS + 11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view external-in: query: . IN NS + My config follows, any suggestion? options { directory /var/named; pid-file /var/named/named.pid; statistics-file /var/named/named.stats; memstatistics-file /var/named/named.memstats; dump-file /var/adm/named.dump; zone-statistics yes; notify no; transfer-format many-answers; max-transfer-time-in 60; interface-interval 0; recursion no; allow-transfer { xfer; }; allow-query { none; }; allow-recursion { none; }; additional-from-auth no; additional-from-cache no; }; view internal-in in { match-clients { trusted; }; recursion yes; additional-from-auth yes; additional-from-cache yes; allow-query { trusted; }; allow-recursion { trusted; }; allow-query-cache { trusted; }; zone . in { type hint; file db.cache; }; zone 0.0.127.in-addr.arpa in { type master; file master/db.127.0.0; allow-query { any; }; allow-transfer { none; }; }; zone foo.com in { type master; file master/db.foo; }; ... ... ... }; view external-in in { match-clients { any; }; recursion no; allow-transfer { xfer; }; allow-query { none; }; allow-recursion { none; }; additional-from-auth no; additional-from-cache no; zone . in { type hint; file db.cache; }; zone foo.com in { type master; file master/db.foo; allow-query { any; }; }; ... ... ... }; Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 Matthew Huff.vcf Description: Binary data smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: loads of Query denied... is it an attack or a misconfiguration ?
On Wed, 11 Feb 2009, Matthew Huff wrote: I've been aware of this problem since it first came up on this and nanog's list, but I'm having some configuration issues trying to make the upward referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing the NS queries being answered in the log: 11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view external-in: query: . IN NS + 11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view external-in: query: ox.com IN NS -EDC 11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view external-in: query: . IN NS + 11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view external-in: query: ox.com IN NS -EDC 11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view external-in: query: . IN NS + 11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view external-in: query: . IN NS + 11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view external-in: query: . IN NS + My config follows, any suggestion? options { directory /var/named; pid-file /var/named/named.pid; statistics-file /var/named/named.stats; memstatistics-file /var/named/named.memstats; dump-file /var/adm/named.dump; zone-statistics yes; notify no; transfer-format many-answers; max-transfer-time-in 60; interface-interval 0; recursion no; allow-transfer { xfer; }; allow-query { none; }; allow-recursion { none; }; additional-from-auth no; additional-from-cache no; }; view internal-in in { match-clients { trusted; }; recursion yes; additional-from-auth yes; additional-from-cache yes; allow-query { trusted; }; allow-recursion { trusted; }; allow-query-cache { trusted; }; zone . in { type hint; file db.cache; }; zone 0.0.127.in-addr.arpa in { type master; file master/db.127.0.0; allow-query { any; }; allow-transfer { none; }; }; zone foo.com in { type master; file master/db.foo; }; ... ... ... }; view external-in in { match-clients { any; }; recursion no; allow-transfer { xfer; }; allow-query { none; }; allow-recursion { none; }; additional-from-auth no; additional-from-cache no; zone . in { type hint; file db.cache; }; zone foo.com in { type master; file master/db.foo; allow-query { any; }; }; ... ... ... }; Matthew, the querylog shows what was queried. To see what is answered try digging your external interface. Here is my external view: view external { // Primary nameserver for maplepark.com. match-clients { any; }; recursion no; additional-from-cache no; // https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful zone maplepark.com{ type master; notify yes; allow-transfer { slave-name-servers; }; file /var/named/drf/external/maplepark.com.external.; }; zone . { type hint; file named.ca; }; // Update this hint by: /usr/local/sbin/update-root-cache }; And the result of the external query: [...@maplepark ~]$ dig +bufsize=4096 @64.216.205.121 . NS ; DiG 9.6.0-P1 +bufsize=4096 @64.216.205.121 . NS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 24703 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN NS ;; Query time: 0 msec ;; SERVER: 64.216.205.121#53(64.216.205.121) ;; WHEN: Wed Feb 11 08:53:04 2009 ;; MSG SIZE rcvd: 28 [...@maplepark ~]$ Note that the status is REFUSED and MSG SIZE is 28 bytes And the querylog has this: 11-Feb-2009 08:53:04.195 queries: info: client 64.216.205.121#58714: view external: query: . IN NS +E Try digging. AFAICT your conf should return REFUSED Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://www.maplepark.com St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: loads of Query denied... is it an attack or a misconfiguration ?
Thanks to David Forest, I realize now that the query IS being refused, however nothing in the bind log shows the refusal. Is there anyway to see that in the log? Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: David Forrest [mailto:d...@maplepark.com] Sent: Wednesday, February 11, 2009 10:11 AM To: Matthew Huff Cc: 'bind-users@lists.isc.org' Subject: RE: loads of Query denied... is it an attack or a misconfiguration ? On Wed, 11 Feb 2009, Matthew Huff wrote: I've been aware of this problem since it first came up on this and nanog's list, but I'm having some configuration issues trying to make the upward referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing the NS queries being answered in the log: 11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view external-in: query: . IN NS + 11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view external-in: query: ox.com IN NS -EDC 11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view external-in: query: . IN NS + 11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view external-in: query: ox.com IN NS -EDC 11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view external-in: query: . IN NS + 11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view external-in: query: . IN NS + 11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view external-in: query: . IN NS + My config follows, any suggestion? options { directory /var/named; pid-file /var/named/named.pid; statistics-file /var/named/named.stats; memstatistics-file /var/named/named.memstats; dump-file /var/adm/named.dump; zone-statistics yes; notify no; transfer-format many-answers; max-transfer-time-in 60; interface-interval 0; recursion no; allow-transfer { xfer; }; allow-query { none; }; allow-recursion { none; }; additional-from-auth no; additional-from-cache no; }; view internal-in in { match-clients { trusted; }; recursion yes; additional-from-auth yes; additional-from-cache yes; allow-query { trusted; }; allow-recursion { trusted; }; allow-query-cache { trusted; }; zone . in { type hint; file db.cache; }; zone 0.0.127.in-addr.arpa in { type master; file master/db.127.0.0; allow-query { any; }; allow-transfer { none; }; }; zone foo.com in { type master; file master/db.foo; }; ... ... ... }; view external-in in { match-clients { any; }; recursion no; allow-transfer { xfer; }; allow-query { none; }; allow-recursion { none; }; additional-from-auth no; additional-from-cache no; zone . in { type hint; file db.cache; }; zone foo.com in { type master; file master/db.foo; allow-query { any; }; }; ... ... ... }; Matthew, the querylog shows what was queried. To see what is answered try digging your external interface. Here is my external view: view external { // Primary nameserver for maplepark.com. match-clients { any; }; recursion no; additional-from-cache no; // https://www.dns-oarc.net/oarc/articles/upward-referrals-considered- harmful zone maplepark.com{ type master; notify yes; allow-transfer { slave-name-servers; }; file /var/named/drf/external/maplepark.com.external.; }; zone . { type hint; file named.ca; }; // Update this hint by: /usr/local/sbin/update-root-cache }; And the result of the external query: [...@maplepark ~]$ dig +bufsize=4096 @64.216.205.121 . NS ; DiG 9.6.0-P1 +bufsize=4096 @64.216.205.121 . NS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 24703 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.IN NS ;; Query time: 0 msec ;; SERVER: 64.216.205.121#53(64.216.205.121) ;; WHEN: Wed Feb 11 08:53:04 2009 ;; MSG SIZE rcvd: 28 [...@maplepark ~]$ Note that the status is REFUSED and MSG SIZE is 28 bytes And the querylog has this: 11-Feb-2009 08:53:04.195 queries: info: client 64.216.205.121#58714: view external: query: . IN NS +E Try digging. AFAICT your conf should return REFUSED Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://www.maplepark.com St. Louis, Missouri Matthew Huff.vcf Description: Binary data smime.p7s Description: S/MIME cryptographic signature
Re: loads of Query denied... is it an attack or a misconfiguration ?
Please go read the list achives. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
In message f43eb7e60902101552l524787b1t72fcc821437af...@mail.gmail.com, Thoma s Manson writes: The subject matter has been discussed in lots of detail over the last month. Go read the archives of the mailing list. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
That's some awesome answer... (did you get helped to elaborate it?) equivalent : google is your friend, search the RFCs Then... read the list archives... I guess I can spend the next ten years if I read it from the beginning Could you give any clue of what to look for ? I believed I was on bind mailing list, a mailing list is where you usually get some help... isn't it ? Thomas. On Wed, Feb 11, 2009 at 00:52, Thomas Manson dev.mansontho...@gmail.comwrote: On Wed, Feb 11, 2009 at 00:51, Mark Andrews mark_andr...@isc.org wrote: Please go read the list achives. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
In message f43eb7e60902101621y66133c17lc46a1df451f1b...@mail.gmail.com, Thoma s Manson writes: --00163646c41c20dc350462999600 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit That's some awesome answer... (did you get helped to elaborate it?) equivalent : google is your friend, search the RFCs Feeding the error message into Google would have given you lots of relevent information. query (cache) './NS/IN' denied I didn't want to start yet another debate about what is the right thing to do. Mark Then... read the list archives... I guess I can spend the next ten years if I read it from the beginning Could you give any clue of what to look for ? I believed I was on bind mailing list, a mailing list is where you usually get some help... isn't it ? Thomas. On Wed, Feb 11, 2009 at 00:52, Thomas Manson dev.mansontho...@gmail.comwrot e: On Wed, Feb 11, 2009 at 00:51, Mark Andrews mark_andr...@isc.org wrote: Please go read the list achives. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org --00163646c41c20dc350462999600 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable That#39;s some awesome answer... (did you get helped to elaborate it?)br= brequivalent : google is your friend, search the RFCsbrbrThen... read= the list archives... I guess I can spend the next ten years if I read it f= rom the beginningbr brCould you give any clue of what to look for ? brbrI believed I was = on bind mailing list, a mailing list is where you usually get some help... = isn#39;t it ?brbrThomas.brbrdiv class=3Dgmail_quoteOn Wed, Feb= 11, 2009 at 00:52, Thomas Manson span dir=3Dltrlt;a href=3Dmailto:d= ev.mansontho...@gmail.comdev.mansontho...@gmail.com/agt;/span wrote:= br blockquote class=3Dgmail_quote style=3Dborder-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;divdiv/d= ivdiv class=3DWj3C7cbrbrdiv class=3Dgmail_quoteOn Wed, Feb 11,= 2009 at 00:51, Mark Andrews span dir=3Dltrlt;a href=3Dmailto:Mark_A= ndr...@isc.org target=3D_blankmark_andr...@isc.org/agt;/span wrote= :br blockquote class=3Dgmail_quote style=3Dborder-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex; br nbsp; nbsp; nbsp; nbsp;Please go read the list achives.br br nbsp; nbsp; nbsp; nbsp;Markbr font color=3D#88--br Mark Andrews, ISCbr 1 Seymour St., Dundas Valley, NSW 2117, Australiabr PHONE: +61 2 9871 4742 nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nb= sp; INTERNET: a href=3Dmailto:mark_andr...@isc.org; target=3D_blankMar= k_andr...@isc.org/abr /font/blockquote/divbr /div/div/blockquote/divbr --00163646c41c20dc350462999600-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
someone answers me, you could just have say search reflector DoS attack in the archive list, this would have narrow down a lot my research. I'll temporray block the ip on my firewall On Wed, Feb 11, 2009 at 01:21, Mark Andrews mark_andr...@isc.org wrote: In message f43eb7e60902101552l524787b1t72fcc821437af...@mail.gmail.com, Thoma s Manson writes: The subject matter has been discussed in lots of detail over the last month. Go read the archives of the mailing list. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users