[CentOS] probem with bind???

Sun Feb 22 19:25:30 UTC 2009
David G. Miller <dave at davenjudy.org>

"fabian dacunha" <fabian at baladia.gov.kw> wrote:

> Dear All,
>
> I am sorry for posting this query here but hope someone can help me out
> i have been running Centos 5 as my prinamry DNS n Mail server with bind 9.2
>
> every thing works fine but in my/var/messages log i see continuosly the
> below meesages
>
> Feb 22 09:14:46 kmdns1 named[2087]: client 62.109.4.89#17222: query
> (cache) './NS/IN' denied
> Feb 22 09:14:46 kmdns1 named[2087]: client 62.109.4.89#26398: query
> (cache) './NS/IN' denied
> Feb 22 09:14:51 kmdns1 named[2087]: client 62.109.4.89#65326: query
> (cache) './NS/IN' denied
> Feb 22 09:14:52 kmdns1 named[2087]: client 62.109.4.89#59870: query
> (cache) './NS/IN' denied
>
> now in my firewall i tryied to block this ip but the messages dont stop
>
> i also upgraded bind to version bind-9.3.4-6.0.3.P1.el5_2 but no avail
> the problem still there
>
>
> i jus like to know whts this problem and how could i solve it
>
> is there a problem with my DNS server
>
> thnks and regards
>
> apprecite your kind help
>
>
> fabian
>   
I run a very small, personal presence on the internet (only a single web 
site, e-mail, etc. plus DNS for my own stuff) so this might not work if 
you have lots of sites or there are legitimate reasons why the same 
source IP address would hit your DNS with multiple, valid queries in a 
very short period.  Typically, once a source IP has queried a DNS, the 
result is cached for the time to live (TTL) of the resulting record and 
the query should not normally be repeated.  Given this, I added the 
following rules to my firewall:

...
# Block cache poisoning attacks
# Drop repeated DNS requests
-A RH-Firewall-1-INPUT -p udp -m udp -m recent -i eth0 --dport 53 --update \
--seconds 660 --hitcount 7 --name DNSTHROTTLE --rsource -j DROP

-A RH-Firewall-1-INPUT -p udp -m udp -m recent -i eth0 --dport 53 -j 
ACCEPT \
--set --name DNSTHROTTLE --rsource
...

Note that eth0 is my external NIC so these rules only fire for DNS 
requests that are not from my local network.

I came up with seven queries in eleven minutes was a reasonable sign of 
a cache poisoning attack.  Your mileage may very.  These two rules 
replaced about 30 IPs in my blacklist and are completely automatic.  The 
funny this that a lot of the brute force cache poisoning attempts just 
keep banging away so the source IP stays on the blacklist.  Every once 
in a while I'll see a new IP address hit seven attempts and then the 
blacklist rule kicks in and they're never heard from again.

Cheers,
Dave

-- 
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce