Author Topic: Block denied bin/named queries  (Read 5131 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Block denied bin/named queries
« on: April 11, 2020, 06:02:48 PM »
Hi all,

my log files are getting to be many hundreds of MB on a frequent basis, after checking through them, there are 10's of thousands of entries like this
Apr 11 18:29:53 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#27252 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied

I am running Restrict_Syslog level3, is there any way to get the firewall to block these IP addresses, have spent many hours today checking through settings etc but to no avail, a short extract is below.

Is this anything I should worry about, granted they probably cause very little server load BUT the size of the logs being generated and also that they are not good intention? should surely be blocked.

LF_BIND = "60" <<< did set this to 5 for testing but I suspect it is ignored due to the Syslog (any sensible way to enable it?)
LF_BIND_PERM = "1"

Thanks

Chris

Code: [Select]
Apr 11 18:29:47 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.106#37140 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:48 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.106#46054 (gutepin.com): query (cache) 'gutepin.com/NS/IN' denied
Apr 11 18:29:48 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.106#38211 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:48 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.106#10446 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:48 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.106#54154 (gutepin.com): query (cache) 'gutepin.com/NS/IN' denied
Apr 11 18:29:48 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.106#54327 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:48 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.106#56504 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:53 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#64360 (gutepin.com): query (cache) 'gutepin.com/NS/IN' denied
Apr 11 18:29:53 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#8109 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:53 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#14969 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:53 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#15857 (gutepin.com): query (cache) 'gutepin.com/NS/IN' denied
Apr 11 18:29:53 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#27252 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:53 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#39212 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:54 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#10270 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:54 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#50582 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:54 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#12891 (gutepin.com): query (cache) 'gutepin.com/NS/IN' denied
Apr 11 18:29:55 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#33580 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:55 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#56248 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#54902 (ichfolge.com): query (cache) 'ichfolge.com/A/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#50540 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#50509 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#58602 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#52274 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#59709 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#64707 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#53013 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 20.187.1.135#57668 (www.ichfolge.com): query (cache) 'www.ichfolge.com/A/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 20.187.1.135#57668 (www.ichfolge.com): query (cache) 'www.ichfolge.com/A/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 20.187.1.135#57668 (www.ichfolge.com): query (cache) 'www.ichfolge.com/A/IN' denied
Apr 11 18:29:58 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#58519 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:58 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#59158 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied

Re: Block denied bin/named queries
« Reply #1 on: April 11, 2020, 10:06:33 PM »
LF_BIND = "60" is the minimum, 100 is normally more appropriate.

Have you set bind recursion to local only?

Quote
Hostname:   211.144.10.106
ASN:   4808
ISP:   China Unicom Beijing
I never have that issue, as I block the whole of China from my servers, as well as a few others.

Any traffic into your server has to be processed in some way, so there is an overhead - just look at the frequency of requests! I bet you have a lot of local traffic too.

Offline
*
Re: Block denied bin/named queries
« Reply #2 on: April 12, 2020, 03:57:08 PM »
Hi Ej

Set the LF_BIND low initially to see if it would trigger a firewall block on those IP's (which it didn't) and do expect that due to Syslog3

Your comment about local recursion got me thinking, recursion *was* disabled but allow-query was set to  {any} (default setting I believe.

I have posted the options setup below

Thanks for the reply and do agree about those queries using some resource surely, firewall blocks are about 50 temp bans at any given time for port scanning (port 2210 typically) and a very slowly increase in perm bans (currently 53)
The server is pretty much a fresh install, hosts 2 domains and only my own code on there (laravel projects etc).
You also do right about banning China and I will be following suite very soon, presumably you use the Maxmind or similar in the csf.conf.

Regards

Chris

Code: [Select]
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file  "/var/named/data/named.recursing";
secroots-file   "/var/named/data/named.secroots";
allow-query     { any; }; <<I have just changed this to localhost (is a one server setup with 2 domains on it)
    version "unknown";

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
   recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
   control to limit queries to your legitimate users. Failing to do so will
   cause your server to become part of large scale DNS amplification
   attacks. Implementing BCP38 within your network would greatly
   reduce such attack surface
*/
recursion no;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};


Re: Block denied bin/named queries
« Reply #3 on: April 12, 2020, 04:54:14 PM »
I normally don't do anything other than restricting recursion to localnets and setting version to "".

I find maxmind to be more effective than the now default alternative.
Here's a typical setting (varies by server location/website(s) market):
Code: [Select]
CC_DENY = "CN,HK,TH,IL,EG,TW,RU,AG,RO,IR,VN,MD,UA,KR,IN,SG,EE,UK"


Additionally, I create a csfpost.sh soft link to a /root/block-scan.sh that blocks local network scanning, using iptables.

On a freshly built server, it's not unusual to see hundreds of 'hits' on ssh alone, within quarter of an hour. Makes a mockery of the occasional noob on here, that decides to turn off the firewall 'cos they can't diagnose an issue.

[I did have one VPS that was getting hit by DNS requests but can't recall which one and my specific resolution, sorry.]
« Last Edit: April 13, 2020, 06:07:23 AM by Sandeep »