query (cache) denied (revisited)

Mark Andrews marka at isc.org
Mon Jul 20 00:15:15 UTC 2009 

In message <84010000907190740j60000e04pc23316827fe0b9ef at mail.gmail.com>, Bradle
y Caricofe writes:
> Hello,
> 
> Firstly, I know this issue has already been covered in some depth here. I've
> spent hours perusing the archives and researching this online, and am still
> not sure about what I'm seeing. This weekend, I migrated two old Solaris 5.7
> boxes running BIND 9.2, over to two new CentOS systems running BIND 9.6. The
> migration was a success, however, right away I began seeing tons of these in
> our logs:
> 
> 19-Jul-2009 10:34:29.635 client 84.235.6.53#1276: query (cache) '
> 6q6vszqgm.w8n08fo0.taha.com/A/IN' denied
> 19-Jul-2009 10:34:29.640 client 85.115.125.204#53150: query (cache) '
> server41.appriver.com/A/IN' denied
> 19-Jul-2009 10:34:29.718 client 213.133.115.147#23725: query (cache) '
> wwequip.com/AAAA/IN' denied
> 19-Jul-2009 10:34:29.769 client 121.1.3.66#57014: query (cache) '
> asialink.com.ph/MX/IN' denied
> 19-Jul-2009 10:34:29.889 client 216.250.255.47#4465: RFC 1918 response from
> Internet for 87.193.30.172.in-addr.arpa
> 19-Jul-2009 10:34:29.937 client 156.111.204.136#7736: query (cache) '
> www.reuters.nsatc.net/A/IN' denied
> 19-Jul-2009 10:34:29.975 client 121.1.3.66#13490: query (cache) '
> asialink.com.ph/MX/IN' denied
> 19-Jul-2009 10:34:30.004 client 84.235.6.53#34256: query (cache) '
> 6q6vszqgm.w8n08fo0.taha.com/A/IN' denied
> 19-Jul-2009 10:34:30.074 client 65.55.81.4#5693: query (cache) '
> mosquera.com.ar/A/IN' denied
> 19-Jul-2009 10:34:30.124 client 84.235.6.53#2893: query (cache) '
> 6q6vszqgm.w8n08fo0.taha.com/A/IN' denied
> 19-Jul-2009 10:34:30.190 client 84.235.6.53#57257: query (cache) '
> 6q6vszqgm.w8n08fo0.taha.com/A/IN' denied
> 
> There are a total of 26000 ip's hitting us daily and causing these queries.
> Of these, only a handful are sending a lot of traffic, maybe a few dozen.
> The worst sent 37000 queries yesterday. I'm trying to determine if this is
> reflector attack behavior or if some of these hosts were successfully using
> our servers for DNS in the past. Our server is refusing these queries and I
> believe the old servers did so as well.
> 
> Is there anything I can do to filter or otherwise reduce these hits? Again,
> I'm sorry for rehashing an old subject, but I don't have this figured out.

Take the addresses that are sending lots of queries and look up the
abuse contacts in whois and send them a report asking for the traffic
to be stopped.  If it is a misconfiguration then it should stop.
If you are being used as a reflector you should also get feedback.

You should also look at the names in the queries and make sure you
are not being delegated to but don't have the zone configured.

Mark

> Thanks,
> Brad
> 
> --0016364c7a2729d0f4046f0fffa6
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> Hello,<br><br>Firstly, I know this issue has already been covered in some d=
> epth here. I've spent hours perusing the archives and researching this =
> online, and am still not sure about what I'm seeing. This weekend, I mi=
> grated two old Solaris 5.7 boxes running BIND 9.2, over to two new CentOS s=
> ystems running BIND 9.6. The migration was a success, however, right away I=
>  began seeing tons of these in our logs:<br>
> <br>19-Jul-2009 10:34:29.635 client 84.235.6.53#1276: query (cache) '<a=
>  href=3D"http://6q6vszqgm.w8n08fo0.taha.com/A/IN">6q6vszqgm.w8n08fo0.taha.c=
> om/A/IN</a>' denied<br>19-Jul-2009 10:34:29.640 client 85.115.125.204#5=
> 3150: query (cache) '<a href=3D"http://server41.appriver.com/A/IN">serv=
> er41.appriver.com/A/IN</a>' denied<br>
> 19-Jul-2009 10:34:29.718 client 213.133.115.147#23725: query (cache) '<=
> a href=3D"http://wwequip.com/AAAA/IN">wwequip.com/AAAA/IN</a>' denied<b=
> r>19-Jul-2009 10:34:29.769 client 121.1.3.66#57014: query (cache) '<a h=
> ref=3D"http://asialink.com.ph/MX/IN">asialink.com.ph/MX/IN</a>' denied<=
> br>
> 19-Jul-2009 10:34:29.889 client 216.250.255.47#4465: RFC 1918 response from=
>  Internet for 87.193.30.172.in-addr.arpa<br>19-Jul-2009 10:34:29.937 client=
>  156.111.204.136#7736: query (cache) '<a href=3D"http://www.reuters.nsa=
> tc.net/A/IN">www.reuters.nsatc.net/A/IN</a>' denied<br>
> 19-Jul-2009 10:34:29.975 client 121.1.3.66#13490: query (cache) '<a hre=
> f=3D"http://asialink.com.ph/MX/IN">asialink.com.ph/MX/IN</a>' denied<br=
> >19-Jul-2009 10:34:30.004 client 84.235.6.53#34256: query (cache) '<a h=
> ref=3D"http://6q6vszqgm.w8n08fo0.taha.com/A/IN">6q6vszqgm.w8n08fo0.taha.com=
> /A/IN</a>' denied<br>
> 19-Jul-2009 10:34:30.074 client 65.55.81.4#5693: query (cache) '<a href=
> =3D"http://mosquera.com.ar/A/IN">mosquera.com.ar/A/IN</a>' denied<br>19=
> -Jul-2009 10:34:30.124 client 84.235.6.53#2893: query (cache) '<a href=
> =3D"http://6q6vszqgm.w8n08fo0.taha.com/A/IN">6q6vszqgm.w8n08fo0.taha.com/A/=
> IN</a>' denied<br>
> 19-Jul-2009 10:34:30.190 client 84.235.6.53#57257: query (cache) '<a hr=
> ef=3D"http://6q6vszqgm.w8n08fo0.taha.com/A/IN">6q6vszqgm.w8n08fo0.taha.com/=
> A/IN</a>' denied<br><br>There are a total of 26000 ip's hitting us =
> daily and causing these queries. Of these, only a handful are sending a lot=
>  of traffic, maybe a few dozen. The worst sent 37000 queries yesterday. I&#=
> 39;m trying to determine if this is reflector attack behavior or if some of=
>  these hosts were successfully using our servers for DNS in the past. Our s=
> erver is refusing these queries and I believe the old servers did so as wel=
> l.<br>
> <br>Is there anything I can do to filter or otherwise reduce these hits? Ag=
> ain, I'm sorry for rehashing an old subject, but I don't have this =
> figured out.<br><br>Thanks,<br>Brad<br><br>
> 
> --0016364c7a2729d0f4046f0fffa6--
> 
> --===============0986660181593906015==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============0986660181593906015==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list