The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS attack, need advice

Discussion in 'Security' started by sevi, Nov 6, 2013.

  1. sevi

    sevi Registered

    Joined:
    Nov 6, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Past few days ive been seeing loads and loads of "view external: query (cache) 'isc.org/ANY/IN' denied" queries in /var/log/messages, at least 1 query every second. Usually 2-5 different Ip's every day. I keep blocking if i see multiple queries from the same IP, but is there any other way to fix this.
    Thanks
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. sevi

    sevi Registered

    Joined:
    Nov 6, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    thank you, i will take a look at it

    - - - Updated - - -

    I looked at that thread and the solution posted there is only to stop logging the cache denied messages. But is there any way to actually stop those IPs from making queries? How do constant queries can affect my server? Im fairly new to this and still learning, so any advice would be apreciated.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can not control the actions of a remote server, but you can block the IP addresses with a firewall if you notice the same IP containing to make queries. It's not really going to cause you any problems, and it's actually normal to see these events in the logs from time to time. It's better to leave the logging on in my opinion so that you know which IP addresses to block.

    Thank you.
     
  5. sevi

    sevi Registered

    Joined:
    Nov 6, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    this is what ive been doing, but sometimes i cant monitor logs. Is it possible to block ip automatically if it does more than lets say 50 queries or something like that?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    There are no options in cPanel that will block IP addresses in that fashion. You may want to check to see if you can implement any custom firewall rules for that with an application such as CSF.

    Thank you.
     
  7. sevi

    sevi Registered

    Joined:
    Nov 6, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks. I will just keep checking all the logs. Just wanted to make sure my customers still can access website when someone making tons of dns queries.

    - - - Updated - - -

    It's not normal if i have 5-10 of "view external: query (cache) 'isc.org/ANY/IN' denied" every second for like 20-30 minutes, right?

    - - - Updated - - -

    i checked the IP and its not on any blacklist report

    - - - Updated - - -

    Do i need to restart Bind after this?
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page