{"id":6669,"date":"2014-04-21T10:36:52","date_gmt":"2014-04-21T10:36:52","guid":{"rendered":"https:\/\/unknownerror.org\/index.php\/2014\/04\/21\/too-many-bind-query-cache-denied-dns-attack-collection-of-common-programming-errors-2\/"},"modified":"2014-04-21T10:36:52","modified_gmt":"2014-04-21T10:36:52","slug":"too-many-bind-query-cache-denied-dns-attack-collection-of-common-programming-errors-2","status":"publish","type":"post","link":"https:\/\/unknownerror.org\/index.php\/2014\/04\/21\/too-many-bind-query-cache-denied-dns-attack-collection-of-common-programming-errors-2\/","title":{"rendered":"Too many Bind query (cache) denied, DNS attack?-Collection of common programming errors"},"content":{"rendered":"<p>Once Bind crashed and I did: <code>tail -f \/var\/log\/messages<\/code> I see a massive number of logs every second. Is this a DNS attack? or is there something wrong?<\/p>\n<p>Sometimes I see a domain in logs like this: dOmAin.com (upper and lower). As you see there is only one single domain in the logs with different IPs<\/p>\n<pre><code>Oct 10 02:21:26 mail named[20831]: client 74.125.189.18#38921: query (cache) 'ns1.domain2.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 192.221.144.171#38833: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 74.125.189.17#42428: query (cache) 'ns2.domain2.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 192.221.146.27#37899: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 193.203.82.66#39263: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 8.0.16.170#59723: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 80.169.197.66#32903: query (cache) 'dOmAin.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 134.58.60.1#47558: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 192.221.146.34#47387: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 8.0.16.8#59392: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 74.125.189.19#64395: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 217.72.163.3#42190: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 83.146.21.252#22020: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 192.221.146.116#57342: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 193.203.82.66#52020: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 8.0.16.72#64317: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 80.169.197.66#31989: query (cache) 'dOmAin.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 74.125.189.18#47436: query (cache) 'ns2.domain2.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 74.125.189.16#44005: query (cache) 'ns1.domain2.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 85.132.31.10#50379: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 94.241.128.3#60106: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 85.132.31.10#59118: query (cache) 'domain.com\/A\/IN' denied\nOct 10 02:21:26 mail named[20831]: client 212.95.135.78#27811: query (cache) 'domain.com\/A\/IN' denied\n<\/code><\/pre>\n<p>\/etc\/resolv.conf<\/p>\n<pre><code>; generated by \/sbin\/dhclient-script\nnameserver 4.2.2.4\nnameserver 8.8.4.4\n<\/code><\/pre>\n<p>Bind config:<\/p>\n<pre><code>\/\/ generated by named-bootconf.pl\n\noptions {\n        directory \"\/var\/named\";\n        \/*\n         * If there is a firewall between you and nameservers you want\n         * to talk to, you might need to uncomment the query-source\n         * directive below.  Previous versions of BIND always asked\n         * questions using port 53, but BIND 8.1 uses an unprivileged\n         * port by default.\n         *\/\n        \/\/ query-source address * port 53;\n\n        allow-transfer { none; };\n        allow-recursion { localnets; };\n        \/\/listen-on-v6 { any; };\n        notify no;\n};\n\n\/\/\n\/\/ a caching only nameserver config\n\/\/\ncontrols {\n        inet 127.0.0.1 allow { localhost; } keys { rndckey; };\n};\nzone \".\" IN {\n        type hint;\n        file \"named.ca\";\n};\n\nzone \"localhost\" IN {\n        type master;\n        file \"localhost.zone\";\n        allow-update { none; };\n};\n\nzone \"0.0.127.in-addr.arpa\" IN {\n        type master;\n        file \"named.local\";\n        allow-update { none; };\n};\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Once Bind crashed and I did: tail -f \/var\/log\/messages I see a massive number of logs every second. Is this a DNS attack? or is there something wrong? Sometimes I see a domain in logs like this: dOmAin.com (upper and lower). As you see there is only one single domain in the logs with different [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6669","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/6669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=6669"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/6669\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=6669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=6669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=6669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}