Skip to main content

LFD - "named REFUSED unexpected RCODE resolving ..." attack?

Comments

5 comments

  • cPRex Jurassic Moderator

    Hey there!  I don't see that vds1318850.hosted-by-itldc.com is a valid domain, as it doesn't have any DNS records.  Since that is the case, I would expect any lookups for the domain to fail, like what you're seeing.

    There's two options - something on your server is trying to connect to that domain, or something external is querying your server for that domain's DNS.

    Inside /etc/named.conf, do you see the following line?

    recursion no;
    0
  • simz8

    Hi cPRex ,

    i see recursion no for the main options and for the external view : 

    options {
        /* make named use port 53 for the source of all queries, to allow
             * firewalls to block all ports except 53:
             */

        // query-source    port 53;

        recursion no;

    and 

    view    "external" {
    /* This view will contain zones you want to serve only to "external" clients
     * that have addresses that are not on your directly attached LAN interface subnets:
     */
        recursion no;
        additional-from-cache no;

    but for the views : "localhost_resolver" and "internal" recursion is "yes".

    Besides that, how can i see those lfd warnings that lookup fails are external queries or something on my server is trying to connect? I just saw that the same thing is also happening with other domains : 

    /var/log/messages:
    Jul 15 04:00:06 vps2 lfd[6131]: CC Error: Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
    Jul 15 04:00:06 vps2 lfd[6131]: CC Error: Country Code Filters setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
    Jul 15 04:06:02 vps2 named[1181]: REFUSED unexpected RCODE resolving '134.130.39.211.in-addr.arpa/PTR/IN': 211.252.85.86#53
    Jul 15 04:06:03 vps2 named[1181]: REFUSED unexpected RCODE resolving '134.130.39.211.in-addr.arpa/PTR/IN': 211.252.85.32#53
    Jul 15 04:17:02 vps2 systemd: Starting ImunifyAV...
    Jul 15 04:17:02 vps2 systemd: Started ImunifyAV.
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 5.34.180.212#53
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 5.34.180.212#53
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.245.45#53
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 195.123.245.45#53
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 195.123.225.13#53
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.225.13#53
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 217.12.221.175#53
    Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 217.12.221.175#53
    Jul 15 04:18:43 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 195.123.243.46#53
    Jul 15 04:18:43 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.243.46#53
    Jul 15 04:18:43 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 195.123.213.192#53
    Jul 15 04:18:43 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.213.192#53

     

     

     

     

    0
  • cPRex Jurassic Moderator

    That configuration is fine then - I just wanted to make sure that main recursion option was set to off, as it should be.

    I'm honestly not 100% sure how you would narrow that down more, as this issue isn't unique to cPanel but can appear with any DNS server using BIND/PowerDNS.  You may want to speak with your hosting provider or datacenter to have them check the system and network to see if they can further isolate the issue.

    0
  • simz8

    There tons of other ips/domains with similar errors while trying to resolve them. Like the following (here is an excermpt from /var/log/messages):

     


    Jul 15 13:15:07 vps2 rsyslogd: imjournal: journal reloaded... [v8.24.0-57.el7_9.3 try http://www.rsyslog.com/e/0 ]
    Jul 15 13:15:07 vps2 rsyslogd: imjournal: journal reloaded... [v8.24.0-57.el7_9.3 try http://www.rsyslog.com/e/0 ]
    Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ns1.rcil.gov.in/AAAA/IN': 203.153.47.251#53
    Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ns2.rcil.gov.in/AAAA/IN': 203.153.47.251#53
    Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ns1.rcil.gov.in/A/IN': 203.153.47.251#53
    Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ns2.rcil.gov.in/A/IN': 203.153.47.251#53
    Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ws167-208.199.103.rcil.gov.in/A/IN': 203.153.47.251#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'dzowo.uem.mz/A/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'oceano.uem.mz/AAAA/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'zebra.uem.mz/AAAA/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'anyns.uem.mz/A/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'oceano.uem.mz/A/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'dzowo.uem.mz/AAAA/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'zebra.uem.mz/A/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'anyns.uem.mz/AAAA/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'limpopo.tdm.mz/A/IN': 196.3.96.67#53
    Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'limpopo.tdm.mz/AAAA/IN': 196.3.96.67#53
    Jul 15 13:32:30 vps2 lfd[32139]: Incoming IP 31.184.196.21 temporary block removed
    Jul 15 13:37:16 vps2 lfd[643]: *Port Scan* detected from 31.184.196.21 (RU/Russia/bobcatkit.com). 11 hits in the last 30 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]
    Jul 15 13:39:01 vps2 lfd[852]: Incoming IP 87.246.7.90 temporary block removed

     

     

    My main concern is WHAT TRIGGERS these lookups by my BIND service...? I couldn't find any entry inside /var/log/maillog or /var/log/exim_mainlog because one of my thoughts were that the look up was triggered by some incoming email . 

    How can i figure out what triggers these false lookups?

    0
  • cPRex Jurassic Moderator

    That second example you posted is completely different from the first, with an explanation in the second-to-last line:

    Jul 15 13:37:16 vps2 lfd[643]: *Port Scan* detected from 31.184.196.21 (RU/Russia/bobcatkit.com). 11 hits in the last 30 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]

    I would just block that IP completely at the firewall and be done with that.

    I don't have a better explanation for the earlier "REFUSED unexpected RCODE resolving" errors you're seeing at this time.

    0

Please sign in to leave a comment.