DNS attack, need advice

sevi

• November 06, 2013 12:17

Past few days ive been seeing loads and loads of "view external: query (cache) 'isc.org/ANY/IN' denied" queries in /var/log/messages, at least 1 query every second. Usually 2-5 different Ip's every day. I keep blocking if i see multiple queries from the same IP, but is there any other way to fix this. Thanks

• 

  cPanelMichael

  • November 06, 2013 17:32

  Hello :) There are a few threads about this particular issue. Here is one that may be useful: why named logging query cache denied to /var/log/messages? Thank you.

  0
• 

  sevi

  • November 06, 2013 17:45

  thank you, i will take a look at it [COLOR="silver">- - - Updated - - - I looked at that thread and the solution posted there is only to stop logging the cache denied messages. But is there any way to actually stop those IPs from making queries? How do constant queries can affect my server? Im fairly new to this and still learning, so any advice would be apreciated.

  0
• 

  cPanelMichael

  • November 06, 2013 17:48

  You can not control the actions of a remote server, but you can block the IP addresses with a firewall if you notice the same IP containing to make queries. It's not really going to cause you any problems, and it's actually normal to see these events in the logs from time to time. It's better to leave the logging on in my opinion so that you know which IP addresses to block. Thank you.

  0
• 

  sevi

  • November 06, 2013 17:52

  this is what ive been doing, but sometimes i cant monitor logs. Is it possible to block ip automatically if it does more than lets say 50 queries or something like that?

  0
• 

  cPanelMichael

  • November 06, 2013 18:00

  [quote="sevi, post: 1499301">this is what ive been doing, but sometimes i cant monitor logs. Is it possible to block ip automatically if it does more than lets say 50 queries or something like that?
  There are no options in cPanel that will block IP addresses in that fashion. You may want to check to see if you can implement any custom firewall rules for that with an application such as CSF. Thank you.

  0
• 

  sevi

  • November 07, 2013 19:34

  Thanks. I will just keep checking all the logs. Just wanted to make sure my customers still can access website when someone making tons of dns queries. [COLOR="silver">- - - Updated - - - It's not normal if i have 5-10 of "view external: query (cache) 'isc.org/ANY/IN' denied" every second for like 20-30 minutes, right? [COLOR="silver">- - - Updated - - - i checked the IP and its not on any blacklist report [COLOR="silver">- - - Updated - - - Do i need to restart Bind after this?

  0
• 

  cPanelMichael

  • November 08, 2013 17:10

  I recommend blocking the IP address with a firewall such as CSF. Restarting BIND is not necessary. Thank you.

  0

Please sign in to leave a comment.