"fabian dacunha" <fabian at baladia.gov.kw> wrote: > Dear All, > > I am sorry for posting this query here but hope someone can help me out > i have been running Centos 5 as my prinamry DNS n Mail server with bind 9.2 > > every thing works fine but in my/var/messages log i see continuosly the > below meesages > > Feb 22 09:14:46 kmdns1 named[2087]: client 62.109.4.89#17222: query > (cache) './NS/IN' denied > Feb 22 09:14:46 kmdns1 named[2087]: client 62.109.4.89#26398: query > (cache) './NS/IN' denied > Feb 22 09:14:51 kmdns1 named[2087]: client 62.109.4.89#65326: query > (cache) './NS/IN' denied > Feb 22 09:14:52 kmdns1 named[2087]: client 62.109.4.89#59870: query > (cache) './NS/IN' denied > > now in my firewall i tryied to block this ip but the messages dont stop > > i also upgraded bind to version bind-9.3.4-6.0.3.P1.el5_2 but no avail > the problem still there > > > i jus like to know whts this problem and how could i solve it > > is there a problem with my DNS server > > thnks and regards > > apprecite your kind help > > > fabian > I run a very small, personal presence on the internet (only a single web site, e-mail, etc. plus DNS for my own stuff) so this might not work if you have lots of sites or there are legitimate reasons why the same source IP address would hit your DNS with multiple, valid queries in a very short period. Typically, once a source IP has queried a DNS, the result is cached for the time to live (TTL) of the resulting record and the query should not normally be repeated. Given this, I added the following rules to my firewall: ... # Block cache poisoning attacks # Drop repeated DNS requests -A RH-Firewall-1-INPUT -p udp -m udp -m recent -i eth0 --dport 53 --update \ --seconds 660 --hitcount 7 --name DNSTHROTTLE --rsource -j DROP -A RH-Firewall-1-INPUT -p udp -m udp -m recent -i eth0 --dport 53 -j ACCEPT \ --set --name DNSTHROTTLE --rsource ... Note that eth0 is my external NIC so these rules only fire for DNS requests that are not from my local network. I came up with seven queries in eleven minutes was a reasonable sign of a cache poisoning attack. Your mileage may very. These two rules replaced about 30 IPs in my blacklist and are completely automatic. The funny this that a lot of the brute force cache poisoning attempts just keep banging away so the source IP stays on the blacklist. Every once in a while I'll see a new IP address hit seven attempts and then the blacklist rule kicks in and they're never heard from again. Cheers, Dave -- Politics, n. Strife of interests masquerading as a contest of principles. -- Ambrose Bierce