Hi there
Like many others on here I suspect, we allow recursive dns queries, which is the default cpanel install situation (with Bind, anyway). Recently we've noticed our outbound traffic ramp and are receiving double bandwidth charges from our suppliers. Today I noticed high outbound on a box and using tcpdump identified what I believe to be a dns amplification attack.
How do we turn off recursion in WHM and whitelist our own hosts which refer to each other in /etc/resolv.conf ?
Must this be done in named.conf as I suspect, since I can't find any settings to adjust in WHM.
It's important that the server continues to return dns lookups for the domains for which it is authoritative. Presumably turning off recursion doesn't interfere with this?
For those interested, I post a few tcpdump logs so you too can check to see if you're affected:
14:30:03.210460 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
14:30:03.210482 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
14:30:03.210503 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
14:30:03.210525 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
14:30:03.210547 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
{times hundreds of entries}
Interestingly, dropping static-ip-69-64-33-192.inaddr.ip-pool.com in the firewall rules has no affect. And anyway, loads more hosts are also targeted.
Best
Dude
Like many others on here I suspect, we allow recursive dns queries, which is the default cpanel install situation (with Bind, anyway). Recently we've noticed our outbound traffic ramp and are receiving double bandwidth charges from our suppliers. Today I noticed high outbound on a box and using tcpdump identified what I believe to be a dns amplification attack.
How do we turn off recursion in WHM and whitelist our own hosts which refer to each other in /etc/resolv.conf ?
Must this be done in named.conf as I suspect, since I can't find any settings to adjust in WHM.
It's important that the server continues to return dns lookups for the domains for which it is authoritative. Presumably turning off recursion doesn't interfere with this?
For those interested, I post a few tcpdump logs so you too can check to see if you're affected:
14:30:03.210460 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
14:30:03.210482 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
14:30:03.210503 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
14:30:03.210525 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
14:30:03.210547 IP static-ip-69-64-33-192.inaddr.ip-pool.com.47635 > 195.238.munged.domain: 11424+ [1au] ANY? . (28)
{times hundreds of entries}
Interestingly, dropping static-ip-69-64-33-192.inaddr.ip-pool.com in the firewall rules has no affect. And anyway, loads more hosts are also targeted.
Best
Dude