query (cache) './ANY/IN' denied

[Elmar]

Hi,

My var/log/messages is getting big in a very short time sinds 2 days ( at the moment 600 MB sinds 18 hours ).
The log contains messages like:

Dec 1 11:57:54 office named[3026]: client @0x7f84b010e5c0 74.135.83.157#37650 (.): query (cache) './ANY/IN' denied
Dec 1 11:57:54 office named[3026]: client @0x7f84b00ffe20 74.135.83.157#37650 (.): query (cache) './ANY/IN' denied
Dec 1 11:57:54 office named[3026]: client @0x7f84b00ffe20 74.135.83.157#37650 (.): query (cache) './ANY/IN' denied

I was looking for an explanation of these messages, but I can't find a very good explanation.
I saw this thread: https://forum.directadmin.com/threads/named-query-cache.60851/

But is it a DDOS attack? Because in other topics on the internet it also could be a problem with Ipv6 ( is it? )?
My website's & server are working ok, reachable, and i dont have any problems, except that this log file is increasing hard and I monitor the size of it, but not sure what to do at the moment.

I also saw similar messages like the thread i mentioned, but there you can see most of the time a domainname, in my log file you only see ANY and the "." because i dont know how to read these log files, i dont know if i must ignore them or not.

Then latest question: why i see hex files in the log file? ( and how to read them ? )

Thanks in advance!

 

[Richard G]

The hex is the client object identifier, next his ip. Which is from spectrum.com and the ip range is from Time Warner Cable.
Since the hex file is the client object identifier, no need to read them imho.

A query is always done to a site, not to ANY, so I don't understand what you're worrying about since you have read the thread you pointed to.
At this moments I'm having hundreds of these too, but that is because there was some flaw in bind which was fixed recently. But at such times you always see a rise of certain attemps of your services which had the issue or leak.
So I'm 99% sure this is an attack too. You just don't use "any".

Because in other topics on the internet it also could be a problem with Ipv6 ( is it? )?

I have a bit of doubt about that this would be ipv6, can you give a link to such topics so we can have a look at the explanation they give?

 

[scriptkitty]

They are querying for ANY records, much the same as you would for NS or MX or AAAA, for example:

dig ANY +noall +answer . @YOURHOSTIP

It is an option to dig to allow you to view all dns record types...

Run that command while tailing /var/log/messages and replacing 'YOURHOSTIP' with your actual server's IP... keep the '@' symbol as this will direct the query directly to your server. For the domain, they are using a period.

I've seen named DoS attacks that would use the same domain name (a domain that doesn't actually exist on the server), but use alternating upper- and lower- case letters for more entropy so that firewalls wouldn't notice and block the attack.

I would use CSF tempblocks to tail the log every 10 minutes or so for the last 500 or so, depending on the relative size of the attack, and block the IPs... if it read the same IPs, it would just say that the IP was already temporarily blocked.

You might want to make sure DNS recursion is disabled:

grep recursion /etc/named.conf

Check out "Recursive DNS servers and DNS amplification attacks" here for more info:

https://www.cloudflare.com/learning/dns/what-is-recursive-dns/

 

[Richard G]

Recursion is enabled by default in bind.
I thought it had to be enabled because it says this:

- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.

It is set like this:
//recursion yes;
but that doesn't matter because it's enabled by default. however I also do have these lines a bit higher:

        allow-recursion { localnets; };
        allow-transfer {"none";};

so if I'm not mistaken, due to the localnets statement, and it will refuse query's for other domains.

What settings do you have @scriptkitty ?

 

[scriptkitty]

Recursion is enabled by default in bind.
I thought it had to be enabled because it says this:

It is set like this:
//recursion yes;
but that doesn't matter because it's enabled by default. however I also do have these lines a bit higher:

        allow-recursion { localnets; };
        allow-transfer {"none";};

so if I'm not mistaken, due to the localnets statement, and it will refuse query's for other domains.

What settings do you have @scriptkitty ?

That's what I got. It looks like that means recursion is disabled for all but the localhost/localnets then. Per: https://kb.isc.org/docs/aa-00269

In versions of BIND prior to (and including) BIND 9.4.1, the default behavior of BIND servers was to allow recursion for all clients unless otherwise specified.

Because open recursion has some undesirable side-effects, such as allowing a server to be exploited by attackers targeting a victim with DNS amplification attacks, the default behavior was changed in BIND 9.4.1-P1. Since 9.4.1-P1, unless an ACL is explicitly specified in the "allow-recursion" statement, the default access list is set to "localnets; localhost;" - in other words, the local server machine and those broadcast domains for which the server has a network interface configured at the time named is started.

So, since the domain "." isn't hosted on the local server, the query is denied.