Solokron

Well-Known Member
Aug 8, 2003
851
1
168
Seattle
cPanel Access Level
DataCenter Provider
Anyone seen this before? It brought our server to a halt and it is not a cheap server. Softdog kicked in and rebooted the server automatically. Checking the message log it was flooded with the following before the lock up which looks like a DNS injection attempt all within a few seconds:


Code:
Oct 31 11:46:39 server named[9645]: client 127.0.0.1#46175: view localhost_resolver: query (cache) '34.94.63.74.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:39 server named[9645]: client 127.0.0.1#46175: view localhost_resolver: query (cache) '222.51.228.201.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:39 server named[9645]: client 127.0.0.1#46175: view localhost_resolver: query (cache) '222.51.228.201.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:39 server named[9645]: client 127.0.0.1#46175: view localhost_resolver: query (cache) '222.51.228.201.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:39 server named[9645]: client 127.0.0.1#46175: view localhost_resolver: query (cache) '222.51.228.201.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:39 server named[9645]: client 127.0.0.1#46175: view localhost_resolver: query (cache) '80.129.120.77.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:40 server named[9645]: client 127.0.0.1#46176: view localhost_resolver: query (cache) '56.143.136.213.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:40 server named[9645]: client 127.0.0.1#46176: view localhost_resolver: query (cache) 'ip-143-56.sn3.eutelia.it/AAAA/IN' denied
Oct 31 11:46:40 server named[9645]: client 127.0.0.1#46176: view localhost_resolver: query (cache) 'ip-143-56.sn3.eutelia.it/A/IN' denied
Oct 31 11:46:40 server named[9645]: client 127.0.0.1#46176: view localhost_resolver: query (cache) '80.129.120.77.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:40 server named[9645]: client 127.0.0.1#46177: view localhost_resolver: query (cache) '237.173.87.93.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:40 server named[9645]: client 127.0.0.1#46178: view localhost_resolver: query (cache) '60.80.103.200.zen.spamhaus.org/A/IN' denied
Oct 31 11:46:41 server named[9645]: client 127.0.0.1#46178: view localhost_resolver: query (cache) '60.80.103.200.zen.spamhaus.org/TXT/IN' denied
Oct 31 11:46:41 server named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) '237.173.87.93.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:41 server named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'harma.pair.com/AAAA/IN' denied
Oct 31 11:46:42 server named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'harma.pair.com/A/IN' denied
Oct 31 11:46:42 server named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'automobilesshow.com/MX/IN' denied
Oct 31 11:46:42 server named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'mx4.automobilesshow.com/AAAA/IN' denied
Oct 31 11:46:42 server named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'mx4.automobilesshow.com/A/IN' denied
Oct 31 11:46:42 server named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'mx3.automobilesshow.com/AAAA/IN' denied
Oct 31 11:46:43  named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'dynamic-ip-19015821362.cable.net.co/AAAA/IN' denied
Oct 31 11:46:43  named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'dynamic-ip-19015821362.cable.net.co/A/IN' denied
Oct 31 11:46:43  named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) '35.39.125.84.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:44  named[9645]: client 127.0.0.1#46180: view localhost_resolver: query (cache) 'everbestinfo.net/MX/IN' denied
Oct 31 11:46:44  named[9645]: client 127.0.0.1#46180: view localhost_resolver: query (cache) 'mx1.everbestinfo.net/AAAA/IN' denied
Oct 31 11:46:44  named[9645]: client 127.0.0.1#46180: view localhost_resolver: query (cache) 'mx1.everbestinfo.net/A/IN' denied
Oct 31 11:46:44  named[9645]: client 127.0.0.1#46180: view localhost_resolver: query (cache) '34.94.63.74.zen.spamhaus.org/A/IN' denied
Oct 31 11:46:44  named[9645]: client 127.0.0.1#46180: view localhost_resolver: query (cache) '34.94.63.74.bl.spamcop.net/A/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46180: view localhost_resolver: query (cache) '130.128.135.190.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46181: view localhost_resolver: query (cache) '236.117.123.89.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46181: view localhost_resolver: query (cache) '236.117.123.89.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46181: view localhost_resolver: query (cache) '84.125.39.35.dyn.user.ono.com/AAAA/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46182: view localhost_resolver: query (cache) 'hotmail.com/MX/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46182: view localhost_resolver: query (cache) 'mx3.hotmail.com/AAAA/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46182: view localhost_resolver: query (cache) 'mx3.hotmail.com/A/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46183: view localhost_resolver: query (cache) 'r190-135-128-130.dialup.adsl.anteldata.net.uy/AAAA/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46184: view localhost_resolver: query (cache) 'mx4.hotmail.com/AAAA/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46184: view localhost_resolver: query (cache) 'mx4.hotmail.com/A/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46184: view localhost_resolver: query (cache) 'mx1.hotmail.com/AAAA/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46184: view localhost_resolver: query (cache) 'mx1.hotmail.com/A/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46185: view localhost_resolver: query (cache) '84.125.39.35.dyn.user.ono.com/A/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46186: view localhost_resolver: query (cache) 'mx2.hotmail.com/AAAA/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46187: view localhost_resolver: query (cache) 'twitter.com/AAAA/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46188: view localhost_resolver: query (cache) '29.141.107.82.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46189: view localhost_resolver: query (cache) 'mx2.hotmail.com/A/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46190: view localhost_resolver: query (cache) 'twitter.com/A/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46191: view localhost_resolver: query (cache) 'host29-141-static.107-82-b.business.telecomitalia.it/AAAA/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46191: view localhost_resolver: query (cache) 'host29-141-static.107-82-b.business.telecomitalia.it/A/IN' denied
Oct 31 11:46:45  named[9645]: client 127.0.0.1#46192: view localhost_resolver: query (cache) 'r190-135-128-130.dialup.adsl.anteldata.net.uy/A/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46193: view localhost_resolver: query (cache) '236.117.123.89.zen.spamhaus.org/A/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46194: view localhost_resolver: query (cache) '11.124.132.95.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46195: view localhost_resolver: query (cache) '11.124.132.95.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46195: view localhost_resolver: query (cache) '236.117.123.89.zen.spamhaus.org/TXT/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46199: view localhost_resolver: query (cache) 'spam.securemail-asp.com/AAAA/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46201: view localhost_resolver: query (cache) 'msn.ca/MX/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46201: view localhost_resolver: query (cache) 'msn.ca/AAAA/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46201: view localhost_resolver: query (cache) 'msn.ca/A/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46202: view localhost_resolver: query (cache) '96.71.186.212.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46201: view localhost_resolver: query (cache) 'msn.ca/A/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46202: view localhost_resolver: query (cache) '96.71.186.212.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46203: view localhost_resolver: query (cache) 'spam.securemail-asp.com/A/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46204: view localhost_resolver: query (cache) '35.39.125.84.zen.spamhaus.org/A/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46205: view localhost_resolver: query (cache) '18.100.13.83.in-addr.arpa/PTR/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46206: view localhost_resolver: query (cache) 'chello212186071096.14.vie.surfer.at/AAAA/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46207: view localhost_resolver: query (cache) '29.141.107.82.zen.spamhaus.org/A/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46208: view localhost_resolver: query (cache) 'fdw18.internetdsl.tpnet.pl/AAAA/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46209: view localhost_resolver: query (cache) 'chello212186071096.14.vie.surfer.at/A/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46210: view localhost_resolver: query (cache) 'fdw18.internetdsl.tpnet.pl/A/IN' denied
Oct 31 11:46:46  named[9645]: client 127.0.0.1#46211: view localhost_resolver: query (cache) '29.141.107.82.zen.spamhaus.org/TXT/IN' denied
There were a bit more but there is a character limit on posts.

Fortunately I have a trusted ACL which only binds to local IPs so all these were denied but it still brought my server down.
 

mtindor

Well-Known Member
Sep 14, 2004
1,394
72
178
inside a catfish
cPanel Access Level
Root Administrator
Oct 31 11:46:39 server named[9645]: client 127.0.0.1#46175: view localhost_resolver: query (cache) '34.94.63.74.in-addr.arpa/PTR/IN' denied
So, 127.0.0.1 (your own server localhost) is making a query to 127.0.0.1 asking for DNS records, and because of the way your Bind is configured it isn't allowing it.

In your /etc/resolv.conf, do you have the cpanel nameservers on that machine listed? Or are you using other resolvers?

Typically, anything on localhost is going to by default attempt to contact the servers listed in /etc/resolv.conf. If your /etc/resolv.conf contains IPs of the local cpanel nameservers running on that machine, then anything on localhost should by default be querying those servers.

If you have 127.0.0.1 listed in /etc/resolv.conf, make sure that your Bind configuration is set up to allow queries to the localhost resolver from 127.0.0.1 (itself).

Of course, that doesn't necessarily explain _what_ is actually generating those queries.

Looks like it is probably Spamassassin making queries to 127.0.0.1 (which are being denied by 127.0.0.1 based upon the configuration of that view in Bind). And that's probably happening when a piece of email comes in and gets run through spamassassin. I guess it could be Exim itself making those queries... at any rate, it looks like queries being made when you are receiving incoming mail, so the queries are likely coming from some email application. i doubt there is anything malicious about that.

If you have 127.0.0.1 in your /etc/resolv.conf, then local applications relying upon DNS are going to query 127.0.0.1 to get an answer, and if your Bind is not configured to allow those queries from 127.0.0.1 or to the localhost resolver, that may happen.... and perhaps your server was being brought to a crawl because you had a lot of incoming mail for which spamassassin / exim couldn't make the proper queries so the incoming SMTp connections and Exim / Spamassassin processes were building up.


Mike
 
Last edited:

kernow

Well-Known Member
Jul 23, 2004
1,015
55
178
cPanel Access Level
Root Administrator
In your localhost_resolver view in /etc/named.conf, perhaps you should have:

recursion yes;

Mike
Something like an ACL in /etc/named.conf to allow recursion from trusted IPs might be better, example:
acl "trusted" {
127.0.0.1;
#add your other IPs here#
};
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
version "not currently available";
allow-notify { trusted; };
allow-transfer { trusted; };
allow-recursion { trusted; };
};
 

Solokron

Well-Known Member
Aug 8, 2003
851
1
168
Seattle
cPanel Access Level
DataCenter Provider
Well I misinterpreted that then. What I have set is...

controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

acl "trusted" {
IP1;
IP2;
};

options {
directory "/var/named";
version "not currently available";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };



Lower down though I do have...


view "external" {
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not on your directly attached LAN interface subnets:
*/
recursion no;
 
Last edited:

mtindor

Well-Known Member
Sep 14, 2004
1,394
72
178
inside a catfish
cPanel Access Level
Root Administrator
You're right.. you definitely want to limit recursion. But in the localhost resolver view it is typically already set up to limit any queries:

view "localhost_resolver" {

match-clients { 127.0.0.0/24; };
match-destinations { localhost; };
recursion yes;


Since the only clients able to query the localhost_resolver view are 127.0.0.x, then a simple "recursion yes;" does the trick.

Of course, if your localhost_resolver view doesn't limit the clients that are allowed to query that view, then you want an ACL added like you mentioned.

M
 

smoge

Well-Known Member
Jul 2, 2004
52
0
156
Softdog kicked in and rebooted the server automatically
Seems a little drastic...

Why not just restart the service or something... reboot the whole server?

And if it continued after the reboot - then what happens - reboots again? ;)

Are you running something like CSF at least?

Smoge
 

Solokron

Well-Known Member
Aug 8, 2003
851
1
168
Seattle
cPanel Access Level
DataCenter Provider
You might not be famliar with softdog/watchdog. If the OS fails to respond after (eight minutes in my case) it restarts the server. This only occurs with complete lockups where being at a console is locked up as well.

Seems a little drastic...

Why not just restart the service or something... reboot the whole server?

And if it continued after the reboot - then what happens - reboots again? ;)

Are you running something like CSF at least?

Smoge