Re: [SLUG] DNS server getting hammered.

Sat, 06 Apr 2013 17:58:37 -0700

Presumably the requests are generally coming from a limited subset of addresses. I suggest grepping your logs, and pulling out all the requests matching those patterns. 
then pull out the distinct addresses.
then just putting a firewall block rule in place.

That's what I do for the email spammers.

On 07/04/13 10:00, Nigel Allen wrote:

Greetings

I had been puzzling for a while why my combined mail/web/dns server was
getting slower and slower until I realised my mistake. I had
inadvertently left my named available for the entire world to do
recursive queries on. I have since then fixed the problem by only
allowing my 2 local networks the ability. My router (and with it my ADSL
connection) however remains plagued with requests.

When I look in my messages file now I see things like this:


Apr  7 09:35:29 www named[3389]: client 84.111.27.79#43162: query
(cache) './ANY/IN' denied
Apr  7 09:35:29 www named[3389]: client 82.8.158.243#13493: query
(cache) './ANY/IN' denied
Apr  7 09:35:29 www named[3389]: client 84.111.27.79#43162: query
(cache) './ANY/IN' denied
Apr  7 09:35:29 www named[3389]: client 82.8.158.243#13493: query
(cache) './ANY/IN' denied
Apr  7 09:35:33 www named[3389]: client 84.111.27.79#46407: query
(cache) './ANY/IN' denied
Apr  7 09:35:33 www named[3389]: client 82.8.158.243#7064: query
(cache) './ANY/IN' denied
Apr  7 09:35:37 www named[3389]: client 84.111.27.79#54773: query
(cache) './ANY/IN' denied
Apr  7 09:35:38 www named[3389]: client 82.8.158.243#49354: query
(cache) './ANY/IN' denied
Apr  7 09:35:42 www named[3389]: client 84.111.27.79#55616: query
(cache) './ANY/IN' denied
Apr  7 09:35:42 www named[3389]: client 82.8.158.243#49660: query
(cache) './ANY/IN' denied
Apr  7 09:35:42 www named[3389]: client 84.111.27.79#55616: query
(cache) './ANY/IN' denied
Apr  7 09:35:46 www named[3389]: client 84.111.27.79#42538: query
(cache) './ANY/IN' denied
Apr  7 09:35:46 www named[3389]: client 82.8.158.243#60349: query
(cache) './ANY/IN' denied
Apr  7 09:35:50 www named[3389]: client 84.111.27.79#23761: query
(cache) './ANY/IN' denied
Apr  7 09:35:50 www named[3389]: client 82.8.158.243#16312: query
(cache) './ANY/IN' denied
Apr  7 09:35:54 www named[3389]: client 84.111.27.79#15570: query
(cache) './ANY/IN' denied
Apr  7 09:35:55 www named[3389]: client 82.8.158.243#44390: query
(cache) './ANY/IN' denied
Apr  7 09:35:59 www named[3389]: client 84.111.27.79#58973: query
(cache) './ANY/IN' denied
Apr  7 09:36:00 www named[3389]: client 82.8.158.243#27353: query
(cache) './ANY/IN' denied
Apr  7 09:36:00 www named[3389]: client 84.111.27.79#58973: query
(cache) './ANY/IN' denied
Apr  7 09:36:04 www named[3389]: client 84.111.27.79#43818: query
(cache) './ANY/IN' denied


Then a few really weird ones


Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58219: query
(cache) './ANY/IN' denied
Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58220: query
(cache) 'iomjkpaaaaelf0000deaaabaaafbgpja/ANY/IN' denied
Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58220: query
(cache) 'bbcalfaaaaelf0000deaaabaaafbgpja/ANY/IN' denied
Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58220: query
(cache) 'bjlclgaaaaelf0000deaaabaaafbgpja/ANY/IN' denied
Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58220: query
(cache) 'mfooljaaaaelf0000deaaabaaafbgpja/ANY/IN' denied
Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58220: query
(cache) 'nmfklkaaaaelf0000deaaabaaafbgpja/ANY/IN' denied
Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58220: query
(cache) 'poimllaaaaelf0000deaaabaaafbgpja/ANY/IN' denied
Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58220: query
(cache) 'goeclmaaaaelf0000deaaabaaafbgpja/ANY/IN' denied
Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58220: query
(cache) 'pfenloaaaaelf0000deaaabaaafbgpja/ANY/IN' denied
Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58220: query
(cache) 'npmilpaaaaelf0000deaaabaaafbgpja/ANY/IN' denied
Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58220: query
(cache) 'nifjmdaaaaelf0000deaaabaaafbgpja/ANY/IN' denied
Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58220: query
(cache) 'dhlmmeaaaaelf0000deaaabaaafbgpja/ANY/IN' denied
Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58220: query
(cache) 'hjnfnlaaaaelf0000deaaabaaafbgpja/ANY/IN' denied
Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58220: query
(cache) 'coppgdaaaaelf0000deaaabaaafbgpja/ANY/IN' denied
Apr  6 11:22:47 www named[3389]: client 108.168.172.162#58220: query
(cache) 'mipfghaaaaelf0000deaaabaaafbgpja/ANY/IN' denied

As you can see from the time stamps, it is almost constant. Performance
is vastly improved since I stopped allowing recursion but I would like
to see if I can get this any better. The real trick would be to halt
this at theperimeter but I can't just block named requests at the router
as we act as primary dns server for a few small domains that we house
and look after.

Can anyone suggest anyway we can move this forward?

TIA

Nigel.



--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Reply via email to