The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New DNS Attack

Discussion in 'Security' started by Solokron, Oct 31, 2009.

  1. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Anyone seen this before? It brought our server to a halt and it is not a cheap server. Softdog kicked in and rebooted the server automatically. Checking the message log it was flooded with the following before the lock up which looks like a DNS injection attempt all within a few seconds:


    Code:
    Oct 31 11:46:39 server named[9645]: client 127.0.0.1#46175: view localhost_resolver: query (cache) '34.94.63.74.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:39 server named[9645]: client 127.0.0.1#46175: view localhost_resolver: query (cache) '222.51.228.201.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:39 server named[9645]: client 127.0.0.1#46175: view localhost_resolver: query (cache) '222.51.228.201.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:39 server named[9645]: client 127.0.0.1#46175: view localhost_resolver: query (cache) '222.51.228.201.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:39 server named[9645]: client 127.0.0.1#46175: view localhost_resolver: query (cache) '222.51.228.201.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:39 server named[9645]: client 127.0.0.1#46175: view localhost_resolver: query (cache) '80.129.120.77.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:40 server named[9645]: client 127.0.0.1#46176: view localhost_resolver: query (cache) '56.143.136.213.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:40 server named[9645]: client 127.0.0.1#46176: view localhost_resolver: query (cache) 'ip-143-56.sn3.eutelia.it/AAAA/IN' denied
    Oct 31 11:46:40 server named[9645]: client 127.0.0.1#46176: view localhost_resolver: query (cache) 'ip-143-56.sn3.eutelia.it/A/IN' denied
    Oct 31 11:46:40 server named[9645]: client 127.0.0.1#46176: view localhost_resolver: query (cache) '80.129.120.77.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:40 server named[9645]: client 127.0.0.1#46177: view localhost_resolver: query (cache) '237.173.87.93.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:40 server named[9645]: client 127.0.0.1#46178: view localhost_resolver: query (cache) '60.80.103.200.zen.spamhaus.org/A/IN' denied
    Oct 31 11:46:41 server named[9645]: client 127.0.0.1#46178: view localhost_resolver: query (cache) '60.80.103.200.zen.spamhaus.org/TXT/IN' denied
    Oct 31 11:46:41 server named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) '237.173.87.93.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:41 server named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'harma.pair.com/AAAA/IN' denied
    Oct 31 11:46:42 server named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'harma.pair.com/A/IN' denied
    Oct 31 11:46:42 server named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'automobilesshow.com/MX/IN' denied
    Oct 31 11:46:42 server named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'mx4.automobilesshow.com/AAAA/IN' denied
    Oct 31 11:46:42 server named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'mx4.automobilesshow.com/A/IN' denied
    Oct 31 11:46:42 server named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'mx3.automobilesshow.com/AAAA/IN' denied
    Oct 31 11:46:43  named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'dynamic-ip-19015821362.cable.net.co/AAAA/IN' denied
    Oct 31 11:46:43  named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) 'dynamic-ip-19015821362.cable.net.co/A/IN' denied
    Oct 31 11:46:43  named[9645]: client 127.0.0.1#46179: view localhost_resolver: query (cache) '35.39.125.84.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:44  named[9645]: client 127.0.0.1#46180: view localhost_resolver: query (cache) 'everbestinfo.net/MX/IN' denied
    Oct 31 11:46:44  named[9645]: client 127.0.0.1#46180: view localhost_resolver: query (cache) 'mx1.everbestinfo.net/AAAA/IN' denied
    Oct 31 11:46:44  named[9645]: client 127.0.0.1#46180: view localhost_resolver: query (cache) 'mx1.everbestinfo.net/A/IN' denied
    Oct 31 11:46:44  named[9645]: client 127.0.0.1#46180: view localhost_resolver: query (cache) '34.94.63.74.zen.spamhaus.org/A/IN' denied
    Oct 31 11:46:44  named[9645]: client 127.0.0.1#46180: view localhost_resolver: query (cache) '34.94.63.74.bl.spamcop.net/A/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46180: view localhost_resolver: query (cache) '130.128.135.190.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46181: view localhost_resolver: query (cache) '236.117.123.89.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46181: view localhost_resolver: query (cache) '236.117.123.89.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46181: view localhost_resolver: query (cache) '84.125.39.35.dyn.user.ono.com/AAAA/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46182: view localhost_resolver: query (cache) 'hotmail.com/MX/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46182: view localhost_resolver: query (cache) 'mx3.hotmail.com/AAAA/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46182: view localhost_resolver: query (cache) 'mx3.hotmail.com/A/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46183: view localhost_resolver: query (cache) 'r190-135-128-130.dialup.adsl.anteldata.net.uy/AAAA/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46184: view localhost_resolver: query (cache) 'mx4.hotmail.com/AAAA/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46184: view localhost_resolver: query (cache) 'mx4.hotmail.com/A/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46184: view localhost_resolver: query (cache) 'mx1.hotmail.com/AAAA/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46184: view localhost_resolver: query (cache) 'mx1.hotmail.com/A/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46185: view localhost_resolver: query (cache) '84.125.39.35.dyn.user.ono.com/A/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46186: view localhost_resolver: query (cache) 'mx2.hotmail.com/AAAA/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46187: view localhost_resolver: query (cache) 'twitter.com/AAAA/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46188: view localhost_resolver: query (cache) '29.141.107.82.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46189: view localhost_resolver: query (cache) 'mx2.hotmail.com/A/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46190: view localhost_resolver: query (cache) 'twitter.com/A/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46191: view localhost_resolver: query (cache) 'host29-141-static.107-82-b.business.telecomitalia.it/AAAA/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46191: view localhost_resolver: query (cache) 'host29-141-static.107-82-b.business.telecomitalia.it/A/IN' denied
    Oct 31 11:46:45  named[9645]: client 127.0.0.1#46192: view localhost_resolver: query (cache) 'r190-135-128-130.dialup.adsl.anteldata.net.uy/A/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46193: view localhost_resolver: query (cache) '236.117.123.89.zen.spamhaus.org/A/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46194: view localhost_resolver: query (cache) '11.124.132.95.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46195: view localhost_resolver: query (cache) '11.124.132.95.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46195: view localhost_resolver: query (cache) '236.117.123.89.zen.spamhaus.org/TXT/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46199: view localhost_resolver: query (cache) 'spam.securemail-asp.com/AAAA/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46201: view localhost_resolver: query (cache) 'msn.ca/MX/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46201: view localhost_resolver: query (cache) 'msn.ca/AAAA/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46201: view localhost_resolver: query (cache) 'msn.ca/A/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46202: view localhost_resolver: query (cache) '96.71.186.212.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46201: view localhost_resolver: query (cache) 'msn.ca/A/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46202: view localhost_resolver: query (cache) '96.71.186.212.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46203: view localhost_resolver: query (cache) 'spam.securemail-asp.com/A/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46204: view localhost_resolver: query (cache) '35.39.125.84.zen.spamhaus.org/A/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46205: view localhost_resolver: query (cache) '18.100.13.83.in-addr.arpa/PTR/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46206: view localhost_resolver: query (cache) 'chello212186071096.14.vie.surfer.at/AAAA/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46207: view localhost_resolver: query (cache) '29.141.107.82.zen.spamhaus.org/A/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46208: view localhost_resolver: query (cache) 'fdw18.internetdsl.tpnet.pl/AAAA/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46209: view localhost_resolver: query (cache) 'chello212186071096.14.vie.surfer.at/A/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46210: view localhost_resolver: query (cache) 'fdw18.internetdsl.tpnet.pl/A/IN' denied
    Oct 31 11:46:46  named[9645]: client 127.0.0.1#46211: view localhost_resolver: query (cache) '29.141.107.82.zen.spamhaus.org/TXT/IN' denied
    There were a bit more but there is a character limit on posts.

    Fortunately I have a trusted ACL which only binds to local IPs so all these were denied but it still brought my server down.
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    So, 127.0.0.1 (your own server localhost) is making a query to 127.0.0.1 asking for DNS records, and because of the way your Bind is configured it isn't allowing it.

    In your /etc/resolv.conf, do you have the cpanel nameservers on that machine listed? Or are you using other resolvers?

    Typically, anything on localhost is going to by default attempt to contact the servers listed in /etc/resolv.conf. If your /etc/resolv.conf contains IPs of the local cpanel nameservers running on that machine, then anything on localhost should by default be querying those servers.

    If you have 127.0.0.1 listed in /etc/resolv.conf, make sure that your Bind configuration is set up to allow queries to the localhost resolver from 127.0.0.1 (itself).

    Of course, that doesn't necessarily explain _what_ is actually generating those queries.

    Looks like it is probably Spamassassin making queries to 127.0.0.1 (which are being denied by 127.0.0.1 based upon the configuration of that view in Bind). And that's probably happening when a piece of email comes in and gets run through spamassassin. I guess it could be Exim itself making those queries... at any rate, it looks like queries being made when you are receiving incoming mail, so the queries are likely coming from some email application. i doubt there is anything malicious about that.

    If you have 127.0.0.1 in your /etc/resolv.conf, then local applications relying upon DNS are going to query 127.0.0.1 to get an answer, and if your Bind is not configured to allow those queries from 127.0.0.1 or to the localhost resolver, that may happen.... and perhaps your server was being brought to a crawl because you had a lot of incoming mail for which spamassassin / exim couldn't make the proper queries so the incoming SMTp connections and Exim / Spamassassin processes were building up.


    Mike
     
    #2 mtindor, Nov 1, 2009
    Last edited: Nov 1, 2009
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    In your localhost_resolver view in /etc/named.conf, perhaps you should have:

    recursion yes;

    Mike
     
  4. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Something like an ACL in /etc/named.conf to allow recursion from trusted IPs might be better, example:
    acl "trusted" {
    127.0.0.1;
    #add your other IPs here#
    };
    options {
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    version "not currently available";
    allow-notify { trusted; };
    allow-transfer { trusted; };
    allow-recursion { trusted; };
    };
     
  5. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Well I misinterpreted that then. What I have set is...

    controls {
    inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
    };

    acl "trusted" {
    IP1;
    IP2;
    };

    options {
    directory "/var/named";
    version "not currently available";
    allow-recursion { trusted; };
    allow-notify { trusted; };
    allow-transfer { trusted; };



    Lower down though I do have...


    view "external" {
    /* This view will contain zones you want to serve only to "external" clients
    * that have addresses that are not on your directly attached LAN interface subnets:
    */
    recursion no;
     
    #5 Solokron, Nov 1, 2009
    Last edited: Nov 1, 2009
  6. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Yep, thats the same as ours, except we add 127.0.0.1 to the trusted list to allow recursion.
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    You're right.. you definitely want to limit recursion. But in the localhost resolver view it is typically already set up to limit any queries:

    view "localhost_resolver" {

    match-clients { 127.0.0.0/24; };
    match-destinations { localhost; };
    recursion yes;


    Since the only clients able to query the localhost_resolver view are 127.0.0.x, then a simple "recursion yes;" does the trick.

    Of course, if your localhost_resolver view doesn't limit the clients that are allowed to query that view, then you want an ACL added like you mentioned.

    M
     
  8. smoge

    smoge Well-Known Member

    Joined:
    Jul 2, 2004
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Seems a little drastic...

    Why not just restart the service or something... reboot the whole server?

    And if it continued after the reboot - then what happens - reboots again? ;)

    Are you running something like CSF at least?

    Smoge
     
  9. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    You might not be famliar with softdog/watchdog. If the OS fails to respond after (eight minutes in my case) it restarts the server. This only occurs with complete lockups where being at a console is locked up as well.

     
Loading...

Share This Page