DNS attack, need advice

S

sevi

Registered
Nov 6, 2013
4
0
1
cPanel Access Level
Root Administrator
Past few days ive been seeing loads and loads of "view external: query (cache) 'isc.org/ANY/IN' denied" queries in /var/log/messages, at least 1 query every second. Usually 2-5 different Ip's every day. I keep blocking if i see multiple queries from the same IP, but is there any other way to fix this.
Thanks
 
S

sevi

Registered
Nov 6, 2013
4
0
1
cPanel Access Level
Root Administrator
thank you, i will take a look at it

- - - Updated - - -

I looked at that thread and the solution posted there is only to stop logging the cache denied messages. But is there any way to actually stop those IPs from making queries? How do constant queries can affect my server? Im fairly new to this and still learning, so any advice would be apreciated.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,267
463
You can not control the actions of a remote server, but you can block the IP addresses with a firewall if you notice the same IP containing to make queries. It's not really going to cause you any problems, and it's actually normal to see these events in the logs from time to time. It's better to leave the logging on in my opinion so that you know which IP addresses to block.

Thank you.
 
S

sevi

Registered
Nov 6, 2013
4
0
1
cPanel Access Level
Root Administrator
this is what ive been doing, but sometimes i cant monitor logs. Is it possible to block ip automatically if it does more than lets say 50 queries or something like that?
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,267
463
sevi said:
this is what ive been doing, but sometimes i cant monitor logs. Is it possible to block ip automatically if it does more than lets say 50 queries or something like that?
Click to expand...
There are no options in cPanel that will block IP addresses in that fashion. You may want to check to see if you can implement any custom firewall rules for that with an application such as CSF.

Thank you.
 
S

sevi

Registered
Nov 6, 2013
4
0
1
cPanel Access Level
Root Administrator
Thanks. I will just keep checking all the logs. Just wanted to make sure my customers still can access website when someone making tons of dns queries.

- - - Updated - - -

It's not normal if i have 5-10 of "view external: query (cache) 'isc.org/ANY/IN' denied" every second for like 20-30 minutes, right?

- - - Updated - - -

i checked the IP and its not on any blacklist report

- - - Updated - - -

Do i need to restart Bind after this?
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,267
463
I recommend blocking the IP address with a firewall such as CSF. Restarting BIND is not necessary.

Thank you.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
M Cloudflare configuration for Cpanel DNS mail records Security 1
S Dynamic DNS / SSL / Synology NAS Security 7
B DNS amplification attack and mitigation efforts Security 4
J How to prevent an on-going DNS reflection attack? Security 2
Solokron New DNS Attack Security 8
Similar threads
Cloudflare configuration for Cpanel DNS mail records
Dynamic DNS / SSL / Synology NAS
DNS amplification attack and mitigation efforts
How to prevent an on-going DNS reflection attack?
New DNS Attack
Top Bottom