[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNS hits





On Sat, Feb 11, 2017 at 2:07 PM, Henning Follmann <hfollmann@itcfollmann.com> wrote:
On Sat, Feb 11, 2017 at 10:58:54AM -0700, Glenn English wrote:

Nothing about Debian.

No, but I've been a Debian user for several years, and the place I know to ask to get to competent advice and such, is this list. And the server in question is running Debian, FWIW.
 
> Is anyone else getting thousands of hits on DNS?

Hits how?.

There's a rate limiter on DNS in my iptables packet filter. The hits I'm talking about show up in logwatch as log entries from my packet filter -- all of which have exceeded the rate limit. Often vastly.
 
Do you run a DNS server with openly available zones?

Not sure what an 'open zone' is.
 
Not enough information.
Install dnstop and check what these requests are.
And then there are so many questions.

Very sorry about that, and in retrospect I see what you mean.

But in another post, Henning Follmann suggested what I think will solve my problem: move my DNS server to my ISP.

Does your DNS answer recursive queries?

Oh, my lord. I didn't think it did -- I tried to configure BIND to do recursion only from my net. I just tried it from an external IP, and sure enough, it gave me an address for www.abc.com. But I just saw another config option that turns recursion off completely.
...
I turned it off, and as expected, there's no recursion -- from my net or anywhere else. Bears a little more looking into. Surely there's a way to get BIND to do this little trick. Hopefully without going to that public/private mess. BIND is a mixed blessing.
 
How big are your zones?

40 or so lines in the zone files. Not very big.
 
Do you have zones?

Sure. I own 3 domains and do a few virtuals.
 
Do you allow zone transfers?

That I'm pretty sure I don't.  (I saw 'pretty sure' because I was positive I had recursion turned off for aliens.)
 
Do you have multiple DNS servers running? Is your secondary seeing the same
spike of traffic?

No, just one (setting up my servers in a new location). The plan is to hide that one behind some firewalling (with recursion for the locals) and use that nameserver from RIPE (that doesn't even know how to do recursion) as slaves on the 'Net facing servers.

Or maybe get rid of the nameserver. But I do like the ability to go in and modify things by myself and have it happen right now.

And it's not a spike -- it's (almost) continuous. I looked at the blinking lights on the router just now, and it's pretty quiet. The script kiddies must be taking a nap...

--
Glenn English


Reply to: