Comments on: Annoying DNS Recursive queries http://www.stupendous.net/archives/2009/01/19/annoying-dns-recursive-queries/ ramblings of a caffeinated discombobulated mind Fri, 30 Jul 2010 18:55:45 +0000 http://wordpress.org/?v=abc hourly 1 By: f2b http://www.stupendous.net/archives/2009/01/19/annoying-dns-recursive-queries/comment-page-1/#comment-9712 f2b Thu, 20 May 2010 21:25:04 +0000 http://www.stupendous.net/?p=269#comment-9712 <blockquote> <p>Maybe someone could write some script that tracks a syslog file for these kinds of queries, and drops them using iptables after.. say.. 5 failed attempts?</p> </blockquote> <p>Hi,</p> <p>why dont you think about fail2ban to do this job for you?</p> <p>http://www.fail2ban.org/</p> <p>Cheers.</p>

Maybe someone could write some script that tracks a syslog file
for these kinds of queries, and drops them using iptables after..
say.. 5 failed attempts?

Hi,

why dont you think about fail2ban to do this job for you?

http://www.fail2ban.org/

Cheers.

]]> By: chrome http://www.stupendous.net/archives/2009/01/19/annoying-dns-recursive-queries/comment-page-1/#comment-9476 chrome Sun, 25 Jan 2009 05:03:19 +0000 http://www.stupendous.net/?p=269#comment-9476 <p>Give <a href="http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/" rel="nofollow">this</a> a try.</p> <p>Though if you don't have the particular netfilter module, a script like that would work.</p> Give this a try.

Though if you don’t have the particular netfilter module, a script like that would work.

]]> By: Mark http://www.stupendous.net/archives/2009/01/19/annoying-dns-recursive-queries/comment-page-1/#comment-9474 Mark Sat, 24 Jan 2009 22:41:06 +0000 http://www.stupendous.net/?p=269#comment-9474 <p>Maybe someone could write some script that tracks a syslog file for these kinds of queries, and drops them using iptables after.. say.. 5 failed attempts?</p> Maybe someone could write some script that tracks a syslog file for these kinds of queries, and drops them using iptables after.. say.. 5 failed attempts?

]]> By: chrome http://www.stupendous.net/archives/2009/01/19/annoying-dns-recursive-queries/comment-page-1/#comment-9462 chrome Thu, 22 Jan 2009 00:44:40 +0000 http://www.stupendous.net/?p=269#comment-9462 <p>New versions of BIND don't fix this problem.</p> <p>There is no way to disable "recursion denied" responses in bind, currently.</p> New versions of BIND don’t fix this problem.

There is no way to disable “recursion denied” responses in bind, currently.

]]> By: sigterm http://www.stupendous.net/archives/2009/01/19/annoying-dns-recursive-queries/comment-page-1/#comment-9461 sigterm Wed, 21 Jan 2009 07:22:10 +0000 http://www.stupendous.net/?p=269#comment-9461 <p>You folks might want to think about updating bind, here are some articles to get you going. Seems theres a fair share of it going around.</p> <p>http://www.uno-code.com/?q=node/160</p> <p>and Dsheild is tracking it to:</p> <p>http://www.dshield.org/diary.html?storyid=5713</p> You folks might want to think about updating bind, here are some articles to get you going. Seems theres a fair share of it going around.

http://www.uno-code.com/?q=node/160

and Dsheild is tracking it to:

http://www.dshield.org/diary.html?storyid=5713

]]> By: Bruce Clark http://www.stupendous.net/archives/2009/01/19/annoying-dns-recursive-queries/comment-page-1/#comment-9460 Bruce Clark Mon, 19 Jan 2009 20:01:33 +0000 http://www.stupendous.net/?p=269#comment-9460 <p>I've wondered the same thing - some way to get BIND to STOP replying to these queries and just drop them. I'm sure doing some would break some part of some RFC. But all of these attacks I've been seeing so far, are querying for the root zone "." - which is not something that normal DNS servers answer to. Most normal clients ask complete host questions, and allow the resolver to do the recursive queries and return with just an answer. So I doubt hacking the source to NOT reply to any off-network, root zone NS queries would not break anything in real life. Anyone know different?</p> <p>Bruce</p> I’ve wondered the same thing – some way to get BIND to STOP replying to these queries and just drop them. I’m sure doing some would break some part of some RFC. But all of these attacks I’ve been seeing so far, are querying for the root zone “.” – which is not something that normal DNS servers answer to. Most normal clients ask complete host questions, and allow the resolver to do the recursive queries and return with just an answer. So I doubt hacking the source to NOT reply to any off-network, root zone NS queries would not break anything in real life. Anyone know different?

Bruce

]]> By: Vishnu http://www.stupendous.net/archives/2009/01/19/annoying-dns-recursive-queries/comment-page-1/#comment-9459 Vishnu Mon, 19 Jan 2009 09:21:13 +0000 http://www.stupendous.net/?p=269#comment-9459 <p>I wonder if there is a way to configure bind to null a refusal reply? Added a rule a little while ago. 76.9.16.171 has been going at it since about 6am pst on my servers. Was curious at exactly what was going on, so I ran tcpdump for a few minutes grep'ing the ip. Glad my acl is working accordingly, but annoyed at the 2 queries per second, as well as the reply.</p> <p>Cheers, Vishnu</p> I wonder if there is a way to configure bind to null a refusal reply? Added a rule a little while ago. 76.9.16.171 has been going at it since about 6am pst on my servers. Was curious at exactly what was going on, so I ran tcpdump for a few minutes grep’ing the ip. Glad my acl is working accordingly, but annoyed at the 2 queries per second, as well as the reply.

Cheers,
Vishnu

]]> By: Martijn http://www.stupendous.net/archives/2009/01/19/annoying-dns-recursive-queries/comment-page-1/#comment-9458 Martijn Mon, 19 Jan 2009 05:39:25 +0000 http://www.stupendous.net/?p=269#comment-9458 <p>I came accross the same two IP ranges while re-installing Bind. At first I through it was me making a configuration error somewhere since they came so frequently.</p> <p>I now added them to the firewall drop list.</p> I came accross the same two IP ranges while re-installing Bind. At first I through it was me making a configuration error somewhere since they came so frequently.

I now added them to the firewall drop list.

]]> By: Bruce Clark http://www.stupendous.net/archives/2009/01/19/annoying-dns-recursive-queries/comment-page-1/#comment-9457 Bruce Clark Mon, 19 Jan 2009 00:58:52 +0000 http://www.stupendous.net/?p=269#comment-9457 <p>I'm getting the exact same thing claiming to be from the same IP address on all 4 of my DNS servers. I found your blog by googling for the 76.9.16.171 ip address. These three DNS servers of mine exist on 3 entirely different networks - and all are getting hit with these recursive DNS queries at the same time. I've added rules in all three network to drop incoming DNS queries of any kind on UDP port 53 from 76.9.0.0/19 so that my BIND boxes don't keep clobbering this victim with query refused packets. I doubt this network would have any reason to lookup anything legit from my network - and I'll drop these rules in a few days of this crap stops! Sure would be nice to know who the luser is sending out these spoofed queries!</p> <p>Bruce.</p> I’m getting the exact same thing claiming to be from the same IP address on all 4 of my DNS servers. I found your blog by googling for the 76.9.16.171 ip address. These three DNS servers of mine exist on 3 entirely different networks – and all are getting hit with these recursive DNS queries at the same time. I’ve added rules in all three network to drop incoming DNS queries of any kind on UDP port 53 from 76.9.0.0/19 so that my BIND boxes don’t keep clobbering this victim with query refused packets. I doubt this network would have any reason to lookup anything legit from my network – and I’ll drop these rules in a few days of this crap stops! Sure would be nice to know who the luser is sending out these spoofed queries!

Bruce.

]]>