DNS query denied

Discussion in 'Installation/Configuration' started by Captain, Apr 8, 2010.

  1. Captain

    Captain Member

    Hi it is normal.
    Someone try to DDos throw your DNS, but recursion is blocked.
    Try to configure fail2ban for DNS attacks to block attackers.
     
  2. andcha

    andcha New Member

    I don't know much about fail2ban but I did try to do something similar to what you are suggesting. I configured a fail2ban jail to block IP addresses from /var/log/syslog with following failregex
    Code:
    failregex = .*named\[.*\]: client <HOST>.*: query \(cache\) \'a.packetdevil.com/A/IN\' denied\s*$
    It was working perfectly untill I realized that these IPs were not to be blamed as the attacker is someone else.

    If this is not what you were suggesting then please elaborate.

    Also, I have set allow-recursion { none; }; in /etc/bind/named.conf.options, is this correct?
     
  3. Captain

    Captain Member

    it is your master or slave DNS?
     
  4. andcha

    andcha New Member

    This is the master DNS I am using on my website.
    Few days ago I read somewhere that one should not use their master DNS on the website, is it because of that?
     
  5. Captain

    Captain Member

    Please post your named.conf (named.conf.local)
     
  6. andcha

    andcha New Member

    Hi
    This is how my /etc/bind/named.conf.local looks like

    Code:
    zone "domainname.com" {
            type master;
            allow-transfer {8.33.137.137;};
            file "/etc/bind/pri.domainname.com";
    };
    
    and named.conf contains

    Code:
    / This is the primary configuration file for the BIND DNS server named.
    //
    // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
    // structure of BIND configuration files in Debian, *BEFORE* you customize
    // this configuration file.
    //
    // If you are just adding zones, please do that in /etc/bind/named.conf.local
    
    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";
     
    Last edited: Nov 26, 2013
  7. Captain

    Captain Member

    provide also /etc/bind/named.conf.options
     
  8. andcha

    andcha New Member

    Here
    Code:
    options {
            directory "/var/cache/bind";
    
            // If there is a firewall between you and nameservers you want
            // to talk to, you may need to fix the firewall to allow multiple
            // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
    
            // If your ISP provided one or more IP addresses for stable
            // nameservers, you probably want to use them as forwarders.
            // Uncomment the following block, and insert the addresses replacing
            // the all-0's placeholder.
    
            // forwarders {
            //      0.0.0.0;
            // };
    
            //========================================================================
            // If BIND logs error messages about the root key being expired,
            // you will need to update your keys.  See https://www.isc.org/bind-keys
            //========================================================================
            dnssec-validation auto;
    
            auth-nxdomain no;    # conform to RFC1035
            listen-on-v6 { ::1; };
            listen-on { any; };
    //      allow-recursion { none; };
    };
    
    BTW, thank you for taking interest in helping out, much appreciated.
     
  9. Captain

    Captain Member

    You can also add:

    empty-zones-enable no;

    And also you can use forwarders, it is your ISP provider DNS servers.
     
  10. andcha

    andcha New Member

    Thank you, I have added
    Code:
    empty-zones-enable no;
    hope this makes desired difference

    By forwarding, are you referring to "Allow zone transfer" in ISPConfig > DNS Zone > Allow zone transfer to these IPs ?

    BTW, good news is that queries have decreased over time to mere 3,000 to 4,000 per day from 150,000.

    Will update after observing for few days
     
    Last edited: Nov 30, 2013
  11. Captain

    Captain Member

    Allow transfer zone is needed, for example, for your Slave DNS server.

    But forwarder is needed to forwarded from your DNS to your provider DNS if you do not support searching zone.
     
  12. andcha

    andcha New Member

  13. Captain

    Captain Member

    I am not use forward first;
    Just:
    forwarders {
    193.247.122.26;
    };
     
  14. andcha

    andcha New Member

    Wouldn't this make my local DNS useless?
    I mean then will all dns queries be forwarded to my ISP's DNS?
     
  15. Captain

    Captain Member

    Forwards only dns zones that not delegated on your DNS server.
     
  16. andcha

    andcha New Member

    Alright, thank you so much.
    I'll try that tomorrow.
     
  17. ukashkartim

    ukashkartim New Member

    hi
    i have some problem
    problem is resolve i dont understand
    if its resolve pls explain solution step step
    thanks...
     
  18. ukashkartim

    ukashkartim New Member

    same problem

    hi
    i have some problem
    problem is resolve i dont understand
    if its resolve pls explain solution step step
    thanks...
     
  19. Hi,
    It is not the recursion, but query caching.
    Simply use something like this:

    acl "trusted" {
    192.168.0.0/16;
    10.153.154.0/24;
    localhost;
    localnets;
    };

    options {
    ...
    allow-query { any; };
    allow-recursion { trusted; };
    allow-query-cache { trusted; };
    ...
    };
     

Share This Page