The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lots of DNS External Queries to nasa.gov on my server

Discussion in 'Security' started by garconcn, Apr 23, 2013.

  1. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    I noticed that there's lots of queries after I enabled the BIND querylog. I saw several different IPs were trying to query nasa.gov constantly. What's wrong with my server? Is this an attack?

    I have both tcp and udp port 53 opened in both inbound and outbound in CSF. When I blocked inbound port 53, the query stopped. Because I have domains using the DNS on this cpanel server, I am not sure whether I need to open inbound firewall for port 53 or not.

    /var/log/messages

    Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#4654: view external: query: nasa.gov IN ANY +
    Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#29819: view external: query: nasa.gov IN ANY +
    Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#43263: view external: query: nasa.gov IN ANY +
    Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#27029: view external: query: nasa.gov IN ANY +
    Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#32344: view external: query: nasa.gov IN ANY +
    Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#10101: view external: query: nasa.gov IN ANY +
    Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#31960: view external: query: nasa.gov IN ANY +
    Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#61520: view external: query: nasa.gov IN ANY +
    Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#1033: view external: query: nasa.gov IN ANY +
    Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#54480: view external: query: nasa.gov IN ANY +
    Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#7722: view external: query: nasa.gov IN ANY +
    Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#28636: view external: query: nasa.gov IN ANY +
     
    #1 garconcn, Apr 23, 2013
    Last edited: Apr 23, 2013
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
  3. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    Thanks for your reply.

    I checked my /etc/named.conf file, the recursion for external was set to "no" by default. Do I need to put "recursion no" in the global option section?

    view "external" {
    recursion no;
    }
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I'm not a named expert (though I do have a lot of experience with it), I just usually mitigate DNS amplification attacks. As far as I know, you must set the allow-recursion option in the global options section to properly limit or disable recursion. I haven't seen it done under the view section before.

    If you want to test your server to see if it is an open resolver, run this from a linux terminal on another machine;

    dig cpanel.net @1.2.3.4 #(where 1.2.3.4 is your servers IP).

    You could also use a web tool like Dig web interface , if you do that, set nameservers to "specify myself" and put in your servers IP. Then try to dig for an A record of a site you do not host. If you get a response, then you need to re-configure named.
     
  5. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    Thanks. My server is not an open resolver. I can only query the domain on my server, but not domains like cpanel.net, nasa.gov. I am not sure why there's lots of queries to nasa.gov in the querylog.


    ;; QUESTION SECTION:
    ;cpanel.net. IN A

    ;; AUTHORITY SECTION:
    . 518400 IN NS L.ROOT-SERVERS.net.
    . 518400 IN NS M.ROOT-SERVERS.net.
    . 518400 IN NS A.ROOT-SERVERS.net.
    . 518400 IN NS B.ROOT-SERVERS.net.
    . 518400 IN NS C.ROOT-SERVERS.net.
    . 518400 IN NS D.ROOT-SERVERS.net.
    . 518400 IN NS E.ROOT-SERVERS.net.
    . 518400 IN NS F.ROOT-SERVERS.net.
    . 518400 IN NS G.ROOT-SERVERS.net.
    . 518400 IN NS H.ROOT-SERVERS.net.
    . 518400 IN NS I.ROOT-SERVERS.net.
    . 518400 IN NS J.ROOT-SERVERS.net.
    . 518400 IN NS K.ROOT-SERVERS.net.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Your server is still providing root hints. Are you on CentOS4 or something?
     
  7. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    I am using CentOS 5.9. Do you mean the server should not return this part?

     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Yeah. It's not a huge deal. I usually only see that on cent4, my cent5/6 boxes don't do that. Strange.
     
Loading...

Share This Page