On Sun, Feb 9, 2014 at 3:55 PM, Peter Eckel lists@eckel-edv.de wrote:
Hi James,
you seem to be running an open DNS resolver, is that correct? And if so, do you do it intentionally?
Nux! and Peter are almost certainly correct.
If the OP was to run tcpdump with the -A flag on the external/public-facing interface, I'd expect he'll see a slew of ANY queries.
# untested # but the pipe to grep should highlight the word any while still displaying everything tcpdump's filter matches on (dns queries on port 53) tcpdump -i <public-facing_interface> -nnA port 53 | grep --color -i -E 'any|$'
The OP likely doesn't want to be an open recursive DNS server.
He can rate-limit DNS queries per source or better yet, set up bind views and separate ACLs ... trusted hosts in one and everyone else (external Internet hosts) in the other. In the internal/trusted view leave recursion enabled for those hosts (I expect that's what you want). AND most importantly in the external view _disable_ recursion. If there's no reason for you to answer any queries on your public facing interface, then disable it all together (you could be running an authoritative name server on that box, so you wouldn't want to do that!).
Tips to secure your BIND install ... brought to you by Team Cymru [0]
And while you're at it, if you're running ntpd - secure it too [1] if you haven't already. (Essentially disable monitor/monlist command responses.)
[0] http://www.cymru.com/Documents/secure-bind-template.html [1] http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
I just received an US-CERT alert today that warns about ongoing amplification attacks, among others against DNS, but also against some other UDP based services.
https://www.us-cert.gov/ncas/alerts/TA14-017A
From the symptoms you describe I'd say that your DNS server is being used in such an attack.
I also see a chroot directory, but if I grep for named it doesn't appear to be using the chroot(?): # ps aux | grep named named 3497 0.4 0.7 170088 15836 ? Ssl 23:02 0:02 /usr/sbin/named -u named root 3763 0.0 0.0 61192 764 pts/1 S+ 23:13 0:00 grep
named
Do you have the bind-chroot package installed?
Best regards,
Peter.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos