Hi guys, I'm getting a lot of these error messages in my system log and I'm not sure of the "best" way to deal with this. They look like attacks, so maybe a fail2ban rule would be best? Or is there any config change I can do to Named.conf to stop this? I only run Named because Rspamd requires it, my domains are hosted at a registar and I just setup "A" and "MX" records etc. Thanks for any suggestions, because from searching, I can't find the best method I should use. Code: Jan 31 21:19:12 server1 named[359]: client @0x7f062c1100b0 80.93.127.188#53319 (.): query (cache) './ANY/IN' denied Jan 31 21:19:12 server1 named[359]: client @0x7f062c11e840 80.93.127.188#53319 (.): query (cache) './ANY/IN' denied Jan 31 21:19:12 server1 named[359]: client @0x7f062c101a90 80.93.127.188#53319 (.): query (cache) './ANY/IN' denied Jan 31 21:19:12 server1 named[359]: client @0x7f062c1100b0 80.93.127.188#53319 (.): query (cache) './ANY/IN' denied Jan 31 21:19:23 server1 named[359]: client @0x7f062c11e840 162.244.125.40#13934 (.): query (cache) './ANY/IN' denied Jan 31 21:19:23 server1 named[359]: client @0x7f062c11e840 162.244.125.40#13934 (.): query (cache) './ANY/IN' denied Jan 31 21:19:23 server1 named[359]: client @0x7f062c11e840 162.244.125.40#13934 (.): query (cache) './ANY/IN' denied Jan 31 21:19:23 server1 named[359]: client @0x7f062c1100b0 162.244.125.40#13934 (.): query (cache) './ANY/IN' denied Jan 31 21:19:23 server1 named[359]: client @0x7f062c101a90 162.244.125.40#13934 (.): query (cache) './ANY/IN' denied Jan 31 21:19:23 server1 named[359]: client @0x7f062c1100b0 162.244.125.40#48116 (.): query (cache) './ANY/IN' denied And I have a LOT of them, usually from same or similar IP's
Sounds like a great solution, I assume I should close it on both TCP and UDP? I'll give it a try and report. Thanks again Th0m. By the way, I'm trying to get the 100% score on Internet.nl. Do you mind if I PM you for some help? I think the last thing I'm missing is the Cyphers on the web side, before tackling the email. Thanks
Actually I think I need to leave UDP port 53 open still right? Just remove the TCP port 53 from the firewall. Does that sound correct? Thanks
Both TCP and UDP can (and should be) closed. I think it's better to create a thread for the internet.nl score, so others can give it a thought or read it for their own help
So something like this https://serverfault.com/questions/480913/when-would-i-open-port-53-for-dns does not apply to my situation because I don't need to respond to DNS queries correct? Just curious though, if I did need to run an external DNS, so can't block port 53, what would have been the best solution? Fail2ban? Or some other configuration like recursion? Also, sounds good, I'll start a thread tomorrow for Internet.nl and go from there. Thanks again for the help
You could use Fail2Ban, but this could block legit clients aswell, so you could just let it be. No problem
