Script-kiddie / client <IP> query (cache) '<host>/MX/IN' denied
wllarso
wllarso at swcp.com
Tue Aug 3 16:28:54 UTC 2010
On Tue, 03 Aug 2010 18:01:27 +0200, Denis BUCHER <dbucherml at hsolutions.ch>
wrote:
> Dear all,
>
> I have a question, it's not really a big problem, but it's annoying.
>
> In the logs I get plenty of lines like :
>> client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1
>> Time(s)
>> client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2
>> Time(s)
>> client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied:
>> 1 Time(s)
>> client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2
>> Time(s)
>> client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied:
>> 1 Time(s)
>> client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1
>> Time(s)
>> client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1
Time(s)
>> client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1
>> Time(s)
>> client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1
>> Time(s)
>> client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1
>> Time(s)
>> client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1
>> Time(s)
>> client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1
>> Time(s)
>> client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s)
>
> This seems to be due to a script-kiddie.
>
> I would like to know if I can block hosts doing that at the level of
> /etc/hosts.allow or should I do it at the level of Bind itself ?
>
> Currently it is working for sshd on this server to add lines in
> /etc/hosts.allow, but I would like to know if it would be possible for
> bind :
> sshd: 121.14.195.176: DENY
>
> # uname -a
> Linux (host) 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT
> 2009 i686 i686 i386 GNU/Linux
> # cat /etc/redhat-release
> Fedora release 9 (Sulphur)
>
> Thanks a lot in advance for any help...
>
> And sorry if this is not 100% on topic, I know it's at the border
> between BIND and OS...
On topic question. Don't worry.
You could always use the "blackhole" directive in the BIND configuration
to avoid responding to this address. This will prevent your server from
responding to queries from this address. See the BIND ARM for more info
about how to use this. The problem is that this solution would prevent a
DNS server at this address from querying your server for legitimate
purposes. (Quickly, this address doesn't appear to be running a DNS server
at the moment.)
Then again, if you are running a firewall on your server (or in front of
it), you could always block traffic from this address as an alternative
too. This way your DNS server would never even see these queries to have
to block.
But as a more complete solution, is this an authoritative server for some
zone(s) that you are responsible for, or is this a recursive server for
your customers? If it is an authoritative server, then you should have it
configured to not answer recursive queries for everyone in the world. If
it is a recursive server, then you should be limiting who can query it and
not respond to non-authorized queries. You can use the BIND "view" to
limit who is getting what from your server.
Your logs indicate this this query was denied, so you may already have
your server configured to not answer these queries from this address, so
the last paragraph may not apply. But, it is worth looking at your
configuration just to confirm your server is "reasonably" configured.
Bill Larson
More information about the bind-users
mailing list