Hello,
I have a 2 bind nameservers on my network (both running C3.9). Over the last 3 weeks, I've seen a significant increase in the amount of denied cache queries to DNS service and I'm wondering if I should be worried or if there's something I can do to resolve or prevent this.
I show millions of lines like: Oct 4 11:49:30 dns1 named[878]: client 68.13.16.20#53535: query (cache) denied
If I trim out those and the last message repeated lines, I go from a messages log of 1.8GB to 1.3MB but 2 weeks earlier my messages log for the week was only 339M.
Googling for the query (cache) denied didn't seem find anything useful, that this is other name servers attempting to query my servers for info.
Its this something I need to bear with in having a publically available DNS server with authoritative domains? Is there a way to suppress these messages from going to syslog and is it a bad idea to do so?
There have been no configuration changes except to add 1 or 2 domains to the nameservers.
Any help in understanding this would be great.
Thanks, Rick
I'm just spit balling, but this doesn't sound like good normal behavior. Off handedly it sounds like a DNS poison or transfer attempt. I'm not entirely certain a centos mailing list is a good venue for this question. I would try asking in SecurityFocus.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message----- From: Rick Barnes linux@sitevision.com
Date: Thu, 04 Oct 2007 17:42:19 To:CentOS mailing list centos@centos.org Subject: [CentOS] [OT] DNS queries issue
Hello,
I have a 2 bind nameservers on my network (both running C3.9). Over the last 3 weeks, I've seen a significant increase in the amount of denied cache queries to DNS service and I'm wondering if I should be worried or if there's something I can do to resolve or prevent this.
I show millions of lines like: Oct 4 11:49:30 dns1 named[878]: client 68.13.16.20#53535: query (cache) denied
If I trim out those and the last message repeated lines, I go from a messages log of 1.8GB to 1.3MB but 2 weeks earlier my messages log for the week was only 339M.
Googling for the query (cache) denied didn't seem find anything useful, that this is other name servers attempting to query my servers for info.
Its this something I need to bear with in having a publically available DNS server with authoritative domains? Is there a way to suppress these messages from going to syslog and is it a bad idea to do so?
There have been no configuration changes except to add 1 or 2 domains to the nameservers.
Any help in understanding this would be great.
Thanks, Rick
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I show millions of lines like: Oct 4 11:49:30 dns1 named[878]: client 68.13.16.20#53535: query (cache) denied
If I trim out those and the last message repeated lines, I go from a messages log of 1.8GB to 1.3MB but 2 weeks earlier my messages log for the week was only 339M.
Googling for the query (cache) denied didn't seem find anything useful, that this is other name servers attempting to query my servers for info.
Its this something I need to bear with in having a publically available DNS server with authoritative domains? Is there a way to suppress these messages from going to syslog and is it a bad idea to do so?
There have been no configuration changes except to add 1 or 2 domains to the nameservers.
Interesting... it might be worthwhile to determine what all these clients are asknig for. You mention adding a few new domains to the nameservers.. are you the SOA for them? Should Internet clients _be allowed_ to query your DNS server for these records? Perhaps allow-query is misconfigured on your server?
Even if you aren't expecting any internet-sourced traffic to your DNS server it would be interesting to examine what exactly they are asking for. You could do this with a packet sniffer or query logging in BIND.
Also perhaps you could do an analysis on all the IP's in the denied messages and see if there are any IP's or subnets that pop up... might indicate some sort of DDoS activity that you could track down and report.
Last resort would be to just block inbound DNS traffic from the Internet if you're not needing to answer queries originating from there.
1.8GB's of these seems incredibly excessive... I wonder if they're not legitimate DNS requests trying to get to you because you're the SOA for some domain...
Ray
Ray Van Dolson wrote:
1.8GB's of these seems incredibly excessive... I wonder if they're not legitimate DNS requests trying to get to you because you're the SOA for some domain...
I've seen this sort of behavior from broken resolvers trying to follow a fully-lame delegation. If you suspect that could be it, try a dns report of the domain being queried. http://member.dnsstuff.com/pages/dnsreport.php
-
gjgowey@tmo.blackberry.net -
Mark Foster -
Ray Van Dolson -
Rick Barnes