Bind isc.org IN ANY help?

Discussion in 'Installation/Configuration' started by Unfaiir, May 29, 2013.

  1. Unfaiir

    Unfaiir Member

    I have been scouring the web for a solution to this issue with bind to no avail.

    At various times throughout the day I will be bombarded with requests like:

    Code:
    May 29 06:19:17 server1 named[32513]: client 154.47.160.25#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.10#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 149.5.169.25#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.43#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.25#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.43#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.10#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.25#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 178.33.2.161#40494: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.43#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.25#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.10#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.43#25345: query: isc.org IN ANY +ED (x.x.x.x)
May 29 06:19:17 server1 named[32513]: client 154.47.160.25#25345: query: isc.org IN ANY +ED (x.x.x.x)
    I just can't seem to find a way to stop them. My question is, does ISPConfig 3 even need Bind running? I have free nameserver service where I register my domains so I'll just use that if there is no simple solution here, its too much frustration for me.

    Below is my /etc/named.conf file which I've tried to modify to block this before, which seemed to work at the time.. but now its happening again. I guess what makes it so difficult is that its a UDP attack and not a TCP, so the source IP is always just spoofed. Help?

    Code:
    include "/etc/rndc.key";

controls {
        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

acl "trusted" {
 127.0.0.1;
};

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
        forwarders { 127.0.0.1; };
};

logging {
 channel security_file {
  file "/var/log/named/security.log" versions 3 size 30m;
  severity dynamic;
  print-time yes;
 };
 category security {
  security_file;
 };
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/named.conf.local";
     
    Unfaiir, May 29, 2013
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    If you dont want to host your own dns zones, then you can stop bind. ISPConfig does not require bind, it just supports bind.
     
    till, May 29, 2013
    #2
  3. SuperLOL

    SuperLOL Member

    A long time a i had this domain name. :D
     
    SuperLOL, May 29, 2013
    #3
  4. Unfaiir

    Unfaiir Member

    Thanks. I just wanted to be sure it was ISPConfig safe. I spent days trying to stop that stupid attack to no avail and that stupid bot doing 20+ requests per second always to BIND was just unacceptable and probably would have got me blacklisted.

    I can't believe nobody else has had this issue before on these forums? It seems to be a newer attack, maybe that is why? Its hard to even detect this attack if you aren't looking for it in the logs. It doesn't cause any noticeable performance hit on my system or show up as an error in the logs, but being blacklisted because of it would be no fun.

    Since I don't BIND at this time and its ISPConfig safe, I've gone ahead and disabled it:
    Code:
    chkconfig named off
    I have two related questions:

    rndc is still running and giving the error:
    Code:
    rndc: connect failed: 127.0.0.1#953: connection refused
    Is it ISPConfig safe to also disable rndc?

    Is it ISPConfig safe to just do a
    Code:
    yum remove bind
    ?
     
    Unfaiir, May 30, 2013
    #4
  5. monkfish

    monkfish Member

    Perhaps you might like to use bind as a caching nameserver for your hosts use instead of service provider's dns servers?

    May help with name resolution etc, if you do RBL lookups on incoming email, eg using spamassassin, and your dns request goes to your provider, you may find it gets blocked due to oversusbcription from host provider. Smaller volume requests from your own server may not be.

    You might like to consider leaving named running, perhaps untick it in ispconfig. If you wanted to revert any settings possibly made by ispconfig, do a "yum reinstall bind" and if it creates /etc/named.conf.rpmnew from that install move it to named.conf. That way you have a stock install of bind as a caching name server which only responds to requests from the loopback address.

    Check your /etc/resolv.conf and make sure you have

    Code:
    nameserver 127.0.0.1
nameserver alternatedns1
nameserver alternatedns2
    then your machine will use localhost for name resolution.

    Finally, in your firewall block incoming dns requests (udp, tcp port 53) from the outside world.

    YMMV!
     
    monkfish, May 30, 2013
    #5

Share This Page