Re: ISIPP - Re: bb.barracudacentral.org

Tue, 19 Sep 2017 06:42:07 -0700 

On 09/19/2017 08:25 AM, Chris wrote:

On Tue, 2017-09-19 at 08:16 -0500, Chris wrote:

On Tue, 2017-09-19 at 07:45 -0500, David Jones wrote:


On 09/18/2017 06:03 PM, Chris wrote:

[snip]





localhost dnsmasq[2323]: started, version 2.75 cachesize 150
localhost dnsmasq[2323]: compile time options: IPv6 GNU-getopt
DBus
i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC
loop-
detect inotify
localhost dnsmasq-dhcp[2323]: DHCP, IP range 192.168.122.2 --
192.168.122.254, lease time 1h
localhost dnsmasq-dhcp[2323]: DHCP, sockets bound exclusively to
interface virbr0
localhost dnsmasq[2323]: reading /etc/resolv.conf
localhost dnsmasq[2323]: using nameserver 127.0.0.1#53
localhost dnsmasq[2323]: using nameserver 127.0.0.1#53
localhost dnsmasq[2323]: read /etc/hosts - 7 addresses
localhost dnsmasq[2323]: read
/var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
localhost dnsmasq-dhcp[2323]: read
/var/lib/libvirt/dnsmasq/default.hostsfile

I'm not really running a mail server in the true sense of the
word
I
believe. Fetchmail queries my email accounts and pipes the
messages
through procmail. Anything that doesn't already have a recipe is
run
through SA. I'm just using Bind to speed up the queries that SA
makes.
I believe I'm stating that correctly but who knows could be way
off.

If I can give any other information I'll be glad to do it. Again,
I
have no idea why the queries are going to 168.150.251.35. There
hasn't
been another query to isipp since a bit after noon. I'll see what
happens the next time there is one.


Run 'netstat -tunlap | grep ":53 "' and see what is listening on
port
53
as your DNS server.  You probably need to remove/uninstall dnsmasq.

Here's my output:

# netstat -tunlap | grep ":53 "
tcp        0      0 127.0.0.1:53                0.0.0.0:*
     LISTEN      24019/pdns_recursor
udp        0      0 127.0.0.1:53                0.0.0.0:*
                 24019/pdns_recursor

Once you know you are only running named on port 53, then make sure
your
named.conf doesn't have any forwarders defined in the options
section.

Now check your logs and see if you are still getting a lot of
refused
responses.  BIND should be doing full recursive lookups directly to
the
authoritative DNS servers just like you saw with the "dig +trace"
command.


David, here's my output. I ran as sudo to see all inclusive:

sudo netstat -tunlap | grep ":53"
[sudo] password for chris:
tcp        0      0
192.168.122.1:53        0.0.0.0:*               LISTEN      1245/name
d

      
tcp        0      0

127.0.1.1:53            0.0.0.0:*               LISTEN      1316/dnsm
as
q
tcp        0      0
192.168.0.51:53         0.0.0.0:*               LISTEN      1245/name
d

      
tcp        0      0

127.0.0.1:53            0.0.0.0:*               LISTEN      1245/name
d

      
tcp        0      0

192.168.0.51:56697      192.52.178.30:53        TIME_WAIT   -

   
      
tcp        1      1

192.168.0.51:33475      198.97.190.53:53        CLOSING     -

   
      
tcp        0      0

192.168.0.51:52483      192.5.6.30:53           TIME_WAIT   -

   
      
tcp        0      0

192.168.0.51:57335      192.5.6.30:53           TIME_WAIT   -

   
      
tcp        0      0

192.168.0.51:56609      192.52.178.30:53        TIME_WAIT   -

   
      
tcp        0      0

192.168.0.51:36143      199.19.56.1:53          TIME_WAIT   -

   
      
tcp        0      0

192.168.0.51:47629      199.7.83.42:53          TIME_WAIT   -

   
      
tcp        0      0

192.168.0.51:58201      192.48.79.30:53         TIME_WAIT   -

   
      
tcp        0      0

192.168.0.51:53145      199.19.56.1:53          TIME_WAIT   -

   
      
tcp        0      0

192.168.0.51:55073      199.7.83.42:53          TIME_WAIT   -

   
      
tcp        0      0

192.168.0.51:41719      192.48.79.30:53         TIME_WAIT   -

   
      
tcp        1      1

192.168.0.51:40633      198.97.190.53:53        CLOSING     -

   
      
udp        0      0

192.168.122.1:53        0.0.0.0:*                           2323/dnsm
as
q
udp        0      0
192.168.122.1:53        0.0.0.0:*                           1245/name
d

      
udp        0      0

127.0.1.1:53            0.0.0.0:*                           1316/dnsm
as
q
udp        0      0
192.168.0.51:53         0.0.0.0:*                           1245/name
d

      
udp        0      0

127.0.0.1:53            0.0.0.0:*                           1245/name
d

      
udp        0      0

0.0.0.0:5353            0.0.0.0:*                           1533/snap
we
b
udp        0      0
0.0.0.0:5353            0.0.0.0:*                           1004/avah
i-
daemon:
udp6       0      0
:::5353                 :::*                                1533/snap
we
b
udp6       0      0
:::5353                 :::*                                1004/avah
i-
daemon:



I neglected to insert my /etc/bind/named.conf.options file

acl goodclients {
     127.0.0.1;
     localhost;
     localnets;
};

options {
        directory "/var/cache/bind";
         geoip-directory "/usr/share/GeoIP";

      recursion yes;
      allow-query { goodclients; };


        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow
multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses
replacing
        // the all-0's placeholder.

        //forwarders {
        //127.0.0.1;
        //};

        //=============================================================
===========
        // If BIND logs error messages about the root key being
expired,
        // you will need to update your keys.  See https://www.isc.org/
bind-keys
        //=============================================================
===========
        //dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        //listen-on-v6 { any; };
         listen-on { any; };
};



Change this in the named.conf.options and BIND should be fine:

listen-on { 127.0.0.1; };


Uninstall dnsmasq and make sure it's no longer listening on 127.0.1.1:53 
just to keep things simple.



Your /etc/resolv.conf should be pointed to 127.0.0.1 which is should 
already be based on the dig +trace output.



Now check your logs to see if you are still getting odd queries to 
destinations that aren't authoritative DNS servers which are being 
refused.  Use dig +trace to check responses which should match the 
http://multirbl.valli.org site responses for that particular RBL or 
whitelist excluding IVM which is a subscription-based RBL.


--
David Jones





























					Reply via email to