Lots of DNS External Queries to nasa.gov on my server

[garconcn]

I noticed that there's lots of queries after I enabled the BIND querylog. I saw several different IPs were trying to query nasa.gov constantly. What's wrong with my server? Is this an attack?

I have both tcp and udp port 53 opened in both inbound and outbound in CSF. When I blocked inbound port 53, the query stopped. Because I have domains using the DNS on this cpanel server, I am not sure whether I need to open inbound firewall for port 53 or not.

/var/log/messages

Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#4654: view external: query: nasa.gov IN ANY +
Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#29819: view external: query: nasa.gov IN ANY +
Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#43263: view external: query: nasa.gov IN ANY +
Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#27029: view external: query: nasa.gov IN ANY +
Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#32344: view external: query: nasa.gov IN ANY +
Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#10101: view external: query: nasa.gov IN ANY +
Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#31960: view external: query: nasa.gov IN ANY +
Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#61520: view external: query: nasa.gov IN ANY +
Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#1033: view external: query: nasa.gov IN ANY +
Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#54480: view external: query: nasa.gov IN ANY +
Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#7722: view external: query: nasa.gov IN ANY +
Apr 23 13:45:43 MYSERVER named[26312]: client 94.249.193.57#28636: view external: query: nasa.gov IN ANY +

 

[quizknows]

They may be trying to use your server in a DNS amplification attack. Make sure you've limited or disabled recursion in your named config. See the informaiton I helped this person with here: http://forums.cpanel.net/f185/dns-amplification-attack-mitigation-efforts-337442.html

And yeah, you'll probably need to leave 53 open for both in/out if you're an authoritative nameserver for any domains hosted on your server.

 

[garconcn]

They may be trying to use your server in a DNS amplification attack. Make sure you've limited or disabled recursion in your named config. See the informaiton I helped this person with here: http://forums.cpanel.net/f185/dns-amplification-attack-mitigation-efforts-337442.html

And yeah, you'll probably need to leave 53 open for both in/out if you're an authoritative nameserver for any domains hosted on your server.

Thanks for your reply.

I checked my /etc/named.conf file, the recursion for external was set to "no" by default. Do I need to put "recursion no" in the global option section?

view "external" {
recursion no;
}

 

[quizknows]

I'm not a named expert (though I do have a lot of experience with it), I just usually mitigate DNS amplification attacks. As far as I know, you must set the allow-recursion option in the global options section to properly limit or disable recursion. I haven't seen it done under the view section before.

If you want to test your server to see if it is an open resolver, run this from a linux terminal on another machine;

dig cpanel.net @1.2.3.4 #(where 1.2.3.4 is your servers IP).

You could also use a web tool like Dig web interface , if you do that, set nameservers to "specify myself" and put in your servers IP. Then try to dig for an A record of a site you do not host. If you get a response, then you need to re-configure named.

 

[garconcn]

I'm not a named expert (though I do have a lot of experience with it), I just usually mitigate DNS amplification attacks. As far as I know, you must set the allow-recursion option in the global options section to properly limit or disable recursion. I haven't seen it done under the view section before.

If you want to test your server to see if it is an open resolver, run this from a linux terminal on another machine;

dig cpanel.net @1.2.3.4 #(where 1.2.3.4 is your servers IP).

You could also use a web tool like Dig web interface , if you do that, set nameservers to "specify myself" and put in your servers IP. Then try to dig for an A record of a site you do not host. If you get a response, then you need to re-configure named.

Thanks. My server is not an open resolver. I can only query the domain on my server, but not domains like cpanel.net, nasa.gov. I am not sure why there's lots of queries to nasa.gov in the querylog.


;; QUESTION SECTION:
;cpanel.net. IN A

;; AUTHORITY SECTION:
. 518400 IN NS L.ROOT-SERVERS.net.
. 518400 IN NS M.ROOT-SERVERS.net.
. 518400 IN NS A.ROOT-SERVERS.net.
. 518400 IN NS B.ROOT-SERVERS.net.
. 518400 IN NS C.ROOT-SERVERS.net.
. 518400 IN NS D.ROOT-SERVERS.net.
. 518400 IN NS E.ROOT-SERVERS.net.
. 518400 IN NS F.ROOT-SERVERS.net.
. 518400 IN NS G.ROOT-SERVERS.net.
. 518400 IN NS H.ROOT-SERVERS.net.
. 518400 IN NS I.ROOT-SERVERS.net.
. 518400 IN NS J.ROOT-SERVERS.net.
. 518400 IN NS K.ROOT-SERVERS.net.

 

[quizknows]

Your server is still providing root hints. Are you on CentOS4 or something?

 

[garconcn]

Your server is still providing root hints. Are you on CentOS4 or something?

I am using CentOS 5.9. Do you mean the server should not return this part?

; AUTHORITY SECTION:
. 518400 IN NS L.ROOT-SERVERS.net.
. 518400 IN NS M.ROOT-SERVERS.net.

 

[quizknows]

Yeah. It's not a huge deal. I usually only see that on cent4, my cent5/6 boxes don't do that. Strange.