LFD - "named REFUSED unexpected RCODE resolving ..." attack?
Hello,
i am using cPanel v110.0.17 on a CentOS7.9 vps server (i am going to move probably any time soon to Almalinux).
My CSF/LFD firewall sends every hour thousands of lines with the Log scanner report with the indication "REFUSED unexpected RCODE resolving"
This is an exerpt from /var/log/messages:
Jul 13 09:07:41 vps2 named[1181]: REFUSED unexpected RCODE resolving 'mail20243.unisensebd.com/A/IN': 38.46.221.191#53
Jul 13 09:13:40 vps2 named[1181]: REFUSED unexpected RCODE resolving '226.132.28.111.in-addr.arpa/PTR/IN': 211.138.160.185#53
Jul 13 09:13:40 vps2 named[1181]: REFUSED unexpected RCODE resolving '226.132.28.111.in-addr.arpa/PTR/IN': 211.138.161.185#53
Jul 13 09:30:18 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.245.45#53
Jul 13 09:30:18 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 217.12.221.175#53
Jul 13 09:30:18 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/TXT/IN': 217.12.221.175#53
Jul 13 09:30:18 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.225.13#53
Jul 13 09:30:18 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/TXT/IN': 195.123.225.13#53
Jul 13 09:30:19 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.243.46#53
Jul 13 09:30:19 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/TXT/IN': 195.123.243.46#53
Jul 13 09:30:19 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 5.34.180.212#53
Jul 13 09:30:19 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/TXT/IN': 5.34.180.212#53
Jul 13 09:30:19 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.213.192#53
Jul 13 09:30:19 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/TXT/IN': 195.123.213.192#53
Jul 13 09:30:19 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/TXT/IN': 195.123.245.45#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.225.13#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.245.45#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 217.12.221.175#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.213.192#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.243.46#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 5.34.180.212#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/AAAA/IN': 195.123.225.13#53
Jul 13 09:34:36 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/AAAA/IN': 195.123.245.45#53
the vast majority of these lines have to do with vds1318850.hosted-by-itldc.com .
What is this type of attack? What can i do to stop it?
-
Hey there! I don't see that vds1318850.hosted-by-itldc.com is a valid domain, as it doesn't have any DNS records. Since that is the case, I would expect any lookups for the domain to fail, like what you're seeing.
There's two options - something on your server is trying to connect to that domain, or something external is querying your server for that domain's DNS.
Inside /etc/named.conf, do you see the following line?
recursion no;
0 -
Hi cPRex ,
i see recursion no for the main options and for the external view :
options {
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/// query-source port 53;
recursion no;
and
view "external" {
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not on your directly attached LAN interface subnets:
*/
recursion no;
additional-from-cache no;but for the views : "localhost_resolver" and "internal" recursion is "yes".
Besides that, how can i see those lfd warnings that lookup fails are external queries or something on my server is trying to connect? I just saw that the same thing is also happening with other domains :
/var/log/messages:
Jul 15 04:00:06 vps2 lfd[6131]: CC Error: Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Jul 15 04:00:06 vps2 lfd[6131]: CC Error: Country Code Filters setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Jul 15 04:06:02 vps2 named[1181]: REFUSED unexpected RCODE resolving '134.130.39.211.in-addr.arpa/PTR/IN': 211.252.85.86#53
Jul 15 04:06:03 vps2 named[1181]: REFUSED unexpected RCODE resolving '134.130.39.211.in-addr.arpa/PTR/IN': 211.252.85.32#53
Jul 15 04:17:02 vps2 systemd: Starting ImunifyAV...
Jul 15 04:17:02 vps2 systemd: Started ImunifyAV.
Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 5.34.180.212#53
Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 5.34.180.212#53
Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.245.45#53
Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 195.123.245.45#53
Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 195.123.225.13#53
Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.225.13#53
Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 217.12.221.175#53
Jul 15 04:18:42 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 217.12.221.175#53
Jul 15 04:18:43 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 195.123.243.46#53
Jul 15 04:18:43 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.243.46#53
Jul 15 04:18:43 vps2 named[1181]: REFUSED unexpected RCODE resolving 'hosted-by-itldc.com/NS/IN': 195.123.213.192#53
Jul 15 04:18:43 vps2 named[1181]: REFUSED unexpected RCODE resolving 'vds1318850.hosted-by-itldc.com/A/IN': 195.123.213.192#530 -
That configuration is fine then - I just wanted to make sure that main recursion option was set to off, as it should be.
I'm honestly not 100% sure how you would narrow that down more, as this issue isn't unique to cPanel but can appear with any DNS server using BIND/PowerDNS. You may want to speak with your hosting provider or datacenter to have them check the system and network to see if they can further isolate the issue.
0 -
There tons of other ips/domains with similar errors while trying to resolve them. Like the following (here is an excermpt from /var/log/messages):
Jul 15 13:15:07 vps2 rsyslogd: imjournal: journal reloaded... [v8.24.0-57.el7_9.3 try http://www.rsyslog.com/e/0 ]
Jul 15 13:15:07 vps2 rsyslogd: imjournal: journal reloaded... [v8.24.0-57.el7_9.3 try http://www.rsyslog.com/e/0 ]
Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ns1.rcil.gov.in/AAAA/IN': 203.153.47.251#53
Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ns2.rcil.gov.in/AAAA/IN': 203.153.47.251#53
Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ns1.rcil.gov.in/A/IN': 203.153.47.251#53
Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ns2.rcil.gov.in/A/IN': 203.153.47.251#53
Jul 15 13:20:52 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'ws167-208.199.103.rcil.gov.in/A/IN': 203.153.47.251#53
Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'dzowo.uem.mz/A/IN': 196.3.96.67#53
Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'oceano.uem.mz/AAAA/IN': 196.3.96.67#53
Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'zebra.uem.mz/AAAA/IN': 196.3.96.67#53
Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'anyns.uem.mz/A/IN': 196.3.96.67#53
Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'oceano.uem.mz/A/IN': 196.3.96.67#53
Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'dzowo.uem.mz/AAAA/IN': 196.3.96.67#53
Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'zebra.uem.mz/A/IN': 196.3.96.67#53
Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'anyns.uem.mz/AAAA/IN': 196.3.96.67#53
Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'limpopo.tdm.mz/A/IN': 196.3.96.67#53
Jul 15 13:24:25 vps2 named[1181]: SERVFAIL unexpected RCODE resolving 'limpopo.tdm.mz/AAAA/IN': 196.3.96.67#53
Jul 15 13:32:30 vps2 lfd[32139]: Incoming IP 31.184.196.21 temporary block removed
Jul 15 13:37:16 vps2 lfd[643]: *Port Scan* detected from 31.184.196.21 (RU/Russia/bobcatkit.com). 11 hits in the last 30 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]
Jul 15 13:39:01 vps2 lfd[852]: Incoming IP 87.246.7.90 temporary block removedMy main concern is WHAT TRIGGERS these lookups by my BIND service...? I couldn't find any entry inside /var/log/maillog or /var/log/exim_mainlog because one of my thoughts were that the look up was triggered by some incoming email .
How can i figure out what triggers these false lookups?
0 -
That second example you posted is completely different from the first, with an explanation in the second-to-last line:
Jul 15 13:37:16 vps2 lfd[643]: *Port Scan* detected from 31.184.196.21 (RU/Russia/bobcatkit.com). 11 hits in the last 30 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]
I would just block that IP completely at the firewall and be done with that.
I don't have a better explanation for the earlier "REFUSED unexpected RCODE resolving" errors you're seeing at this time.
0
Please sign in to leave a comment.
Comments
5 comments