[CentOS] bind (named) compromised?
James Pifer
jep at obrien-pifer.comSun Feb 9 04:19:44 UTC 2014
- Previous message: [CentOS] openswan and ipsec
- Next message: [CentOS] bind (named) compromised?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I'm having problems where my upstream bandwidth is being saturated. I've narrowed it down to a DNS issue of some type. If I stop the named service then my bandwidth drops to "normal" according to my untangle firewall. I'm running bind-9.3.6-20.P1.el5_8.6. I'm seeing the following in /var/log/messages: 2014-02-08T23:03:09.558315-05:00 mailserver named[3497]: network unreachable resolving 'hccforums.nl/ANY/IN': 2a00:1188:5::212#53 2014-02-08T23:03:09.558441-05:00 mailserver named[3497]: network unreachable resolving 'hccforums.nl/ANY/IN': 2001:7b8:606::85#53 2014-02-08T23:03:10.008926-05:00 mailserver named[3497]: client 174.128.253.163#5209: view external: no more recursive clients: quota reached 2014-02-08T23:03:11.001878-05:00 mailserver named[3497]: client 173.234.39.133#5209: view external: no more recursive clients: quota reached 2014-02-08T23:03:12.000487-05:00 mailserver named[3497]: client 173.234.39.133#5209: view external: no more recursive clients: quota reached 2014-02-08T23:03:13.000820-05:00 mailserver named[3497]: client 173.234.39.133#5209: view external: no more recursive clients: quota reached 2014-02-08T23:03:14.001501-05:00 mailserver named[3497]: client 192.126.118.105#5209: view external: no more recursive clients: quota reached 2014-02-08T23:03:15.005720-05:00 mailserver named[3497]: client 192.126.118.105#5209: view external: no more recursive clients: quota reached I've tried changing the following in /etc/named.conf but it doesn't seem to have any affect so I commented them back out. tcp-clients 1000; recursive-clients 10000; I also see a chroot directory, but if I grep for named it doesn't appear to be using the chroot(?): # ps aux | grep named named 3497 0.4 0.7 170088 15836 ? Ssl 23:02 0:02 /usr/sbin/named -u named root 3763 0.0 0.0 61192 764 pts/1 S+ 23:13 0:00 grep named I've also tried adding the following to iptables, but it also seems to have no affect: iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 56 --algo bm --hex-string '|09686363666f72756d73026e6c0000ff|' -j DROP -m comment --comment "DROP DNS Q hccforums.nl" Any suggestions or troubleshooting advice? Much appreciated. James
- Previous message: [CentOS] openswan and ipsec
- Next message: [CentOS] bind (named) compromised?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list