DNS Server stopped recursion request suddenly

C

ccto

Verified User
Joined
Feb 24, 2005
Messages
287
Location
Hong Kong
Hello,

One of the DA server encountered -

We have configured the BIND DNS daemon to response recursion request for limited IP.
However, it suddenly stopped responding forwarder request, until I manually restarted the named daemon, it works again.

It seems it is somekind of DoS attack against BIND DNS.

Do you have any idea?

The part of the named.conf

Code: 
acl "trusted" {
x.x.x.x; 127.0.0.1;
};

options {
	//listen-on port 53 { 127.0.0.1; };
	//listen-on-v6 port 53 { ::1; };

	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";

        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };

	version "";

	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";
};

and part of the message log before I restarted named

Code: 
Jul 24 02:49:18 mail named[2045]: managed-keys-zone ./IN: No DNSKEY RRSIGs found for 'dlv.isc.org': success
Jul 24 02:54:19 mail named[2045]:   validating @0x7f3f482252e0: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:19 mail named[2045]:   validating @0x7f3f482252e0: glorb.com.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:20 mail named[2045]:   validating @0x7f3f4400ff90: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:20 mail named[2045]:   validating @0x7f3f4400ff90: wanking.co.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:20 mail named[2045]:   validating @0x7f3f4008a500: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:20 mail named[2045]:   validating @0x7f3f4008a500: xtlv.cn.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:20 mail named[2045]:   validating @0x7f3f4822c5a0: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:20 mail named[2045]:   validating @0x7f3f4822c5a0: dan.cm.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:20 mail named[2045]:   validating @0x7f3f440a2600: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:20 mail named[2045]:   validating @0x7f3f440a2600: xn--prtschwald-r5a.ch.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:20 mail named[2045]:   validating @0x7f3f40190160: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:20 mail named[2045]:   validating @0x7f3f40190160: ohio.usa.cc.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:21 mail named[2045]:   validating @0x7f3f4822dec0: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:21 mail named[2045]:   validating @0x7f3f4822dec0: viagenie.ca.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:21 mail named[2045]:   validating @0x7f3f44014b50: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:21 mail named[2045]:   validating @0x7f3f44014b50: oom.bz.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:21 mail named[2045]:   validating @0x7f3f40191a80: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:21 mail named[2045]:   validating @0x7f3f40191a80: crmmg.org.br.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:21 mail named[2045]:   validating @0x7f3f4822f7e0: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:21 mail named[2045]:   validating @0x7f3f4822f7e0: xn--jbhm-hra.biz.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:21 mail named[2045]:   validating @0x7f3f44016470: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:21 mail named[2045]:   validating @0x7f3f44016470: vkkf.be.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:22 mail named[2045]:   validating @0x7f3f401933a0: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:22 mail named[2045]:   validating @0x7f3f401933a0: trinitarianbiblesociety.org.au.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:22 mail named[2045]:   validating @0x7f3f48231100: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:22 mail named[2045]:   validating @0x7f3f48231100: trashbar.at.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:22 mail named[2045]:   validating @0x7f3f44124650: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:22 mail named[2045]:   validating @0x7f3f44124650: ster.asia.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:22 mail named[2045]:   validating @0x7f3f40194cc0: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:22 mail named[2045]:   validating @0x7f3f40194cc0: kram.as.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:23 mail named[2045]:   validating @0x7f3f48232a20: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:23 mail named[2045]:   validating @0x7f3f48232a20: 0.c.d.c.2.0.a.2.ip6.arpa.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:23 mail named[2045]:   validating @0x7f3f44125f70: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:23 mail named[2045]:   validating @0x7f3f44125f70: dnssec.edu.ar.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:23 mail named[2045]:   validating @0x7f3f401965e0: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:23 mail named[2045]:   validating @0x7f3f401965e0: kwant.am.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:23 mail named[2045]:   validating @0x7f3f48234340: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:23 mail named[2045]:   validating @0x7f3f48234340: dan.ai.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:23 mail named[2045]:   validating @0x7f3f441298a0: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:23 mail named[2045]:   validating @0x7f3f441298a0: chipmunk.aero.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:24 mail named[2045]:   validating @0x7f3f401d9f20: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:24 mail named[2045]:   validating @0x7f3f401d9f20: dan.ae.dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:24 mail named[2045]:   validating @0x7f3f48235c60: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:24 mail named[2045]:   validating @0x7f3f48235c60: dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:24 mail named[2045]: error (no valid RRSIG) resolving 'ae.dlv.isc.org/DS/IN': 156.154.101.23#53
Jul 24 02:54:26 mail named[2045]:   validating @0x7f3f50553520: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:26 mail named[2045]:   validating @0x7f3f50553520: dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:26 mail named[2045]: error (no valid RRSIG) resolving 'ae.dlv.isc.org/DS/IN': 199.254.63.254#53
Jul 24 02:54:27 mail named[2045]:   validating @0x7f3f401db840: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:27 mail named[2045]:   validating @0x7f3f401db840: dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:27 mail named[2045]: error (no valid RRSIG) resolving 'ae.dlv.isc.org/DS/IN': 156.154.100.23#53
Jul 24 02:54:27 mail named[2045]:   validating @0x7f3f48235c60: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:27 mail named[2045]:   validating @0x7f3f48235c60: dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:27 mail named[2045]: error (no valid RRSIG) resolving 'ae.dlv.isc.org/DS/IN': 199.6.1.29#53
Jul 24 02:54:27 mail named[2045]:   validating @0x7f3f50553520: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:27 mail named[2045]:   validating @0x7f3f50553520: dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:27 mail named[2045]: error (no valid RRSIG) resolving 'ae.dlv.isc.org/DS/IN': 199.6.0.29#53
Jul 24 02:54:27 mail named[2045]:   validating @0x7f3f401db840: dlv.isc.org SOA: no valid signature found
Jul 24 02:54:27 mail named[2045]:   validating @0x7f3f401db840: dlv.isc.org NSEC: no valid signature found
Jul 24 02:54:27 mail named[2045]: error (no valid RRSIG) resolving 'ae.dlv.isc.org/DS/IN': 149.20.64.4#53
Jul 24 02:56:19 mail named[2045]:   validating @0x7f3f40001090: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:19 mail named[2045]:   validating @0x7f3f40001090: glorb.com.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:19 mail named[2045]:   validating @0x7f3f50552890: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:19 mail named[2045]:   validating @0x7f3f50552890: wanking.co.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:20 mail named[2045]:   validating @0x7f3f4822b910: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:20 mail named[2045]:   validating @0x7f3f4822b910: xtlv.cn.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:20 mail named[2045]:   validating @0x7f3f401d9290: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:20 mail named[2045]:   validating @0x7f3f401d9290: dan.cm.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:20 mail named[2045]:   validating @0x7f3f503c8220: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:20 mail named[2045]:   validating @0x7f3f503c8220: xn--prtschwald-r5a.ch.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:20 mail named[2045]:   validating @0x7f3f4822d230: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:20 mail named[2045]:   validating @0x7f3f4822d230: ohio.usa.cc.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:20 mail named[2045]:   validating @0x7f3f4018f4d0: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:20 mail named[2045]:   validating @0x7f3f4018f4d0: viagenie.ca.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:21 mail named[2045]:   validating @0x7f3f50704d10: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:21 mail named[2045]:   validating @0x7f3f50704d10: oom.bz.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:21 mail named[2045]:   validating @0x7f3f4822eb50: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:21 mail named[2045]:   validating @0x7f3f4822eb50: crmmg.org.br.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:21 mail named[2045]:   validating @0x7f3f40190df0: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:21 mail named[2045]:   validating @0x7f3f40190df0: xn--jbhm-hra.biz.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:21 mail named[2045]:   validating @0x7f3f50706630: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:21 mail named[2045]:   validating @0x7f3f50706630: vkkf.be.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:21 mail named[2045]:   validating @0x7f3f48230470: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:21 mail named[2045]:   validating @0x7f3f48230470: trinitarianbiblesociety.org.au.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:22 mail named[2045]:   validating @0x7f3f40192710: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:22 mail named[2045]:   validating @0x7f3f40192710: trashbar.at.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:22 mail named[2045]:   validating @0x7f3f50707f50: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:22 mail named[2045]:   validating @0x7f3f50707f50: ster.asia.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:22 mail named[2045]:   validating @0x7f3f48231d90: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:22 mail named[2045]:   validating @0x7f3f48231d90: kram.as.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:22 mail named[2045]:   validating @0x7f3f40194030: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:22 mail named[2045]:   validating @0x7f3f40194030: 0.c.d.c.2.0.a.2.ip6.arpa.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:22 mail named[2045]:   validating @0x7f3f50709870: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:22 mail named[2045]:   validating @0x7f3f50709870: dnssec.edu.ar.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:23 mail named[2045]:   validating @0x7f3f482336b0: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:23 mail named[2045]:   validating @0x7f3f482336b0: kwant.am.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:23 mail named[2045]:   validating @0x7f3f40195950: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:23 mail named[2045]:   validating @0x7f3f40195950: dan.ai.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:23 mail named[2045]:   validating @0x7f3f5070b190: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:23 mail named[2045]:   validating @0x7f3f5070b190: chipmunk.aero.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:23 mail named[2045]:   validating @0x7f3f48234fd0: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:23 mail named[2045]:   validating @0x7f3f48234fd0: dan.ae.dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:23 mail named[2045]:   validating @0x7f3f4400ff90: dlv.isc.org SOA: no valid signature found
Jul 24 02:56:23 mail named[2045]:   validating @0x7f3f4400ff90: dlv.isc.org NSEC: no valid signature found
Jul 24 02:56:23 mail named[2045]: error (no valid RRSIG) resolving 'ae.dlv.isc.org/DS/IN': 156.154.101.23#53
Jul 24 02:56:24 mail named[2045]:   validating @0x7f3f441298a0: dlv.isc.org SOA: no valid signature found
 
You must log in or register to reply here.
Back
Top