Posts Tagged ‘DNS’
‘./NS/IN’ denied?
The world of server maintenance has drawn me in yet again. It seems as though my server has been rebooting itself for no apparent reason.
While trying to track this down I noticed something odd in /etc/log/syslog. There seems to be an interesting DNS request from a single IP address every second or so.
Mar 2 20:09:27 neaz named[4701]: client 62.109.4.89#32136: query (cache) ‘./NS/IN’ denied
Mar 2 20:09:28 neaz named[4701]: client 62.109.4.89#50634: query (cache) ‘./NS/IN’ denied
Mar 2 20:09:30 neaz named[4701]: client 62.109.4.89#14324: query (cache) ‘./NS/IN’ denied
Mar 2 20:09:32 neaz named[4701]: client 62.109.4.89#19968: query (cache) ‘./NS/IN’ denied
Mar 2 20:09:33 neaz named[4701]: client 62.109.4.89#35100: query (cache) ‘./NS/IN’ denied
Mar 2 20:09:34 neaz named[4701]: client 62.109.4.89#18747: query (cache) ‘./NS/IN’ denied
I seems that this is a possible DDOS. Roughly speaking someone is sending small packets to my machine and it’s replying to the IP address specified. The problem is that the IP address my server is responding to *may not be the one actually asking* - this is done through IP spoofing.
So to solve this problem I initially just banned the IP address from connecting.
sudo iptables -I INPUT -s 62.109.4.89 -j DROP
This seems to have stopped the DNS problem - but it has a nasty side effect - this IP address can’t actually connect to my server for anything (mail, web, etc). Not necessarily a big deal. What is a big deal is that if someone else’s IP address is spoofed. I’d then have to run the iptables command again, and again, and again.
Now the good thing is that Tom Hayward’s seen this problem and has a slightly better solution.
sudo iptables -I INPUT -p udp --dport 53 -m length --length 45 -j DROP
He’s gone to the trouble of sniffing the length of the packet and applying that to the iptables rule. This rule basically stops all udp traffic on port 53 (DNS) that’s 45 bytes long from being process by the server.
You can test this out if you have a shell open.
dig . NS @localhost
Or you can head over to the SANS Internet Storm Center who’ve been monitoring this problem and use their webtool
Lastly, make sure you save any changes to your iptables or they’ll disappear on a reboot. (thanks DA)
sudo iptables-save > /etc/iptables.rules
sudo echo "#!/bin/sh" > /etc/network/if-up.d/iptables
sudo echo "iptables-restore < /etc/iptables.rules" >> /etc/network/if-up.d/iptables
sudo chmod +x /etc/network/if-up.d/iptables