DNS attack, need advice

sevi

Registered
Nov 6, 2013
4
0
1
cPanel Access Level
Root Administrator
Past few days ive been seeing loads and loads of "view external: query (cache) 'isc.org/ANY/IN' denied" queries in /var/log/messages, at least 1 query every second. Usually 2-5 different Ip's every day. I keep blocking if i see multiple queries from the same IP, but is there any other way to fix this.
Thanks
 

sevi

Registered
Nov 6, 2013
4
0
1
cPanel Access Level
Root Administrator
thank you, i will take a look at it

- - - Updated - - -

I looked at that thread and the solution posted there is only to stop logging the cache denied messages. But is there any way to actually stop those IPs from making queries? How do constant queries can affect my server? Im fairly new to this and still learning, so any advice would be apreciated.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
You can not control the actions of a remote server, but you can block the IP addresses with a firewall if you notice the same IP containing to make queries. It's not really going to cause you any problems, and it's actually normal to see these events in the logs from time to time. It's better to leave the logging on in my opinion so that you know which IP addresses to block.

Thank you.
 

sevi

Registered
Nov 6, 2013
4
0
1
cPanel Access Level
Root Administrator
this is what ive been doing, but sometimes i cant monitor logs. Is it possible to block ip automatically if it does more than lets say 50 queries or something like that?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
this is what ive been doing, but sometimes i cant monitor logs. Is it possible to block ip automatically if it does more than lets say 50 queries or something like that?
There are no options in cPanel that will block IP addresses in that fashion. You may want to check to see if you can implement any custom firewall rules for that with an application such as CSF.

Thank you.
 

sevi

Registered
Nov 6, 2013
4
0
1
cPanel Access Level
Root Administrator
Thanks. I will just keep checking all the logs. Just wanted to make sure my customers still can access website when someone making tons of dns queries.

- - - Updated - - -

It's not normal if i have 5-10 of "view external: query (cache) 'isc.org/ANY/IN' denied" every second for like 20-30 minutes, right?

- - - Updated - - -

i checked the IP and its not on any blacklist report

- - - Updated - - -

Do i need to restart Bind after this?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
I recommend blocking the IP address with a firewall such as CSF. Restarting BIND is not necessary.

Thank you.