Skip to main content
We are aware of an issue after updating to cPanel versions 11.110.0.65, 11.126.0.21, or 11.128.0.11, some cPanel plugins or features are no longer functioning properly including WP Toolkit. Please see the following article for more information and updates:
Update to latest cPanel 110, 126, or 128 versions removes "addonfeatures" directory.

LFD - "named REFUSED unexpected RCODE resolving ..." attack?

simz8

Hello,

i am using cPanel v110.0.17 on a CentOS7.9 vps server (i am going to move probably any time soon to Almalinux).

My CSF/LFD firewall sends every hour thousands of lines with the Log scanner report with the indication "REFUSED unexpected RCODE resolving"

This is an exerpt from /var/log/messages: 

Jul 13 09:07:41 vps2 named[1181]: REFUSED unexpected RCODE resolving 'mail20243.unisensebd.com/A/IN': 38.46.221.191#53
Jul 13 09:13:40 vps2 named[1181]: REFUSED unexpected RCODE resolving '226.132.28.111.in-addr.arpa/PTR/IN': 211.138.160.185#53
Jul 13 09:13:40 vps2 named[1181]: REFUSED unexpected RCODE resolving '226.132.28.111.in-addr.arpa/PTR/IN': 211.138.161.185#53
Jul 13 09:30:18 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.245.45#53
Jul 13 09:30:18 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 217.12.221.175#53
Jul 13 09:30:18 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/TXT/IN': 217.12.221.175#53
Jul 13 09:30:18 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.225.13#53
Jul 13 09:30:18 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/TXT/IN': 195.123.225.13#53
Jul 13 09:30:19 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.243.46#53
Jul 13 09:30:19 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/TXT/IN': 195.123.243.46#53
Jul 13 09:30:19 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 5.34.180.212#53
Jul 13 09:30:19 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/TXT/IN': 5.34.180.212#53
Jul 13 09:30:19 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.213.192#53
Jul 13 09:30:19 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/TXT/IN': 195.123.213.192#53
Jul 13 09:30:19 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/TXT/IN': 195.123.245.45#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.225.13#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.245.45#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 217.12.221.175#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.213.192#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.243.46#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 5.34.180.212#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/AAAA/IN': 195.123.225.13#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/AAAA/IN': 195.123.245.45#53

the vast majority of  these lines have to do with vds1318850.hosted-by-itldc.com .

What is this type of attack? What can i do to stop it?

Comments

5 comments

Date Votes
  • cPRex Jurassic Moderator

    Hey there!  I don't see that vds1318850.hosted-by-itldc.com is a valid domain, as it doesn't have any DNS records.  Since that is the case, I would expect any lookups for the domain to fail, like what you're seeing.

    There's two options - something on your server is trying to connect to that domain, or something external is querying your server for that domain's DNS.

    Inside /etc/named.conf, do you see the following line?

    recursion no;
    0
  • simz8

    Hi cPRex ,

    i see recursion no for the main options and for the external view : 

    options {
        /* make named use port 53 for the source of all queries, to allow
             * firewalls to block all ports except 53:
             */

        // query-source    port 53;

        recursion no;

    and 

    view    "external" {
    /* This view will contain zones you want to serve only to "external" clients
     * that have addresses that are not on your directly attached LAN interface subnets:
     */
        recursion no;
        additional-from-cache no;

    but for the views : "localhost_resolver" and "internal" recursion is "yes".

    Besides that, how can i see those lfd warnings that lookup fails are external queries or something on my server is trying to connect? I just saw that the same thing is also happening with other domains : 

    /var/log/messages:
    Jul 15 04:00:06 vps2 lfd[6131]: CC Error: Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
    Jul 15 04:00:06 vps2 lfd[6131]: CC Error: Country Code Filters setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
    Jul 15 04:06:02 vps2 named[1181]: REFUSED unexpected RCODE resolving '134.130.39.211.in-addr.arpa/PTR/IN': 211.252.85.86#53
    Jul 15 04:06:03 vps2 named[1181]: REFUSED unexpected RCODE resolving '134.130.39.211.in-addr.arpa/PTR/IN': 211.252.85.32#53
    Jul 15 04:17:02 vps2 systemd: Starting ImunifyAV...
    Jul 15 04:17:02 vps2 systemd: Started ImunifyAV.
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 5.34.180.212#53
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 5.34.180.212#53
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.245.45#53
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 195.123.245.45#53
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 195.123.225.13#53
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.225.13#53
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 217.12.221.175#53
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 217.12.221.175#53
    Jul 15 04:18:43 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 195.123.243.46#53
    Jul 15 04:18:43 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.243.46#53
    Jul 15 04:18:43 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 195.123.213.192#53
    Jul 15 04:18:43 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.213.192#53

     

     

     

     

    0
  • cPRex Jurassic Moderator

    That configuration is fine then - I just wanted to make sure that main recursion option was set to off, as it should be.

    I'm honestly not 100% sure how you would narrow that down more, as this issue isn't unique to cPanel but can appear with any DNS server using BIND/PowerDNS.  You may want to speak with your hosting provider or datacenter to have them check the system and network to see if they can further isolate the issue.

    0
  • simz8
    • Edited

    There tons of other ips/domains with similar errors while trying to resolve them. Like the following (here is an excermpt from /var/log/messages):

     


    Jul 15 13:15:07 vps2 rsyslogd: imjournal: journal reloaded... [v8.24.0-57.el7_9.3 try http://www.rsyslog.com/e/0 ]
    Jul 15 13:15:07 vps2 rsyslogd: imjournal: journal reloaded... [v8.24.0-57.el7_9.3 try http://www.rsyslog.com/e/0 ]
    Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ns1.rcil.gov.in/AAAA/IN': 203.153.47.251#53
    Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ns2.rcil.gov.in/AAAA/IN': 203.153.47.251#53
    Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ns1.rcil.gov.in/A/IN': 203.153.47.251#53
    Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ns2.rcil.gov.in/A/IN': 203.153.47.251#53
    Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ws167-208.199.103.rcil.gov.in/A/IN': 203.153.47.251#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'dzowo.uem.mz/A/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'oceano.uem.mz/AAAA/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'zebra.uem.mz/AAAA/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'anyns.uem.mz/A/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'oceano.uem.mz/A/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'dzowo.uem.mz/AAAA/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'zebra.uem.mz/A/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'anyns.uem.mz/AAAA/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'limpopo.tdm.mz/A/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'limpopo.tdm.mz/AAAA/IN': 196.3.96.67#53
    Jul 15 13:32:30 vps2 lfd[32139]: Incoming IP 31.184.196.21 temporary block removed
    Jul 15 13:37:16 vps2 lfd[643]: *Port Scan* detected from 31.184.196.21 (RU/Russia/bobcatkit.com). 11 hits in the last 30 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]
    Jul 15 13:39:01 vps2 lfd[852]: Incoming IP 87.246.7.90 temporary block removed

     

     

    My main concern is WHAT TRIGGERS these lookups by my BIND service...? I couldn't find any entry inside /var/log/maillog or /var/log/exim_mainlog because one of my thoughts were that the look up was triggered by some incoming email . 

    How can i figure out what triggers these false lookups?

    0
  • cPRex Jurassic Moderator

    That second example you posted is completely different from the first, with an explanation in the second-to-last line:

    Jul 15 13:37:16 vps2 lfd[643]: *Port Scan* detected from 31.184.196.21 (RU/Russia/bobcatkit.com). 11 hits in the last 30 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]

    I would just block that IP completely at the firewall and be done with that.

    I don't have a better explanation for the earlier "REFUSED unexpected RCODE resolving" errors you're seeing at this time.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post