Re: [opensuse] *Help* Am I under some kind of attack??

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The Wednesday 2007-04-25 at 21:27 +0100, G.T.Smith wrote:


Why the OP gets 5 rcode entries and me two (before the lame error) might
have to do with the number of forwarders in his definition. The first
block in my case corresponds to the forwarders, the second I don't know;
in any case, they are DNS servers my daemon interrogated. But the culprit
one is that of the atacckers, not any dns in our side.

My DNS is purely a cache DNS and is only authoritative for local address
space and is not that busy.

like mine.

I do not see the above after making the host
query (though the dns logs do not seem to have been updated for quite
some time and I have not made any changes the configuration in this
respect for one hell of a long time, so this something I need to check).

Because I have this entry in /etc/named.conf:

logging {
channel lame_errors {
file "/var/lib/named/log/named-lame-servers" versions 2 size 200k;
severity debug 3;
print-severity yes;
print-time yes;
};
category lame-servers { lame_errors; };
};



My DNS logs are also directed to the main log files and nothing shows up
there. My firewalling is done at the DSL router (I tend to prefer not to
have front line firewalling on a machine that is providing other
services), the DSL modem relays external DNS requests (no local machine
directly contacts the ISPs DNS servers). There was a serious pause for
the first request for the address but subsequent request were rejected
quite quickly....

More or less the same here.


In this case, the fails are legitimate rejections... of the other four
one has to ask why are these asked again (and again) in the original
case when they either broken or do not want to talk...

It must have to do with the response given by the DNS server that makes
our side to think that the answer is not definitive and that another
server may think different.

I would also ask
are these addresses defined as the forwarding servers. If both you and
the original poster are both running a full DNS server this would
suggest that queries to the address space quoted is being re-directed to
an address of a server which the referrer believes can handle this
address space (it is a long time since I read the relevant RFCs and I
cannot remember how this bit is supposed to work so I am probably way
off beam here ). These referrals seem to be broken hence the DNS error
reports...

Mine asks first my ISP DNS servers, then the root servers. Ie, I have
"forward first".

This would tend to imply that the initial ftp query is not an
attack on the ftp accounts concerned but an attempt to attack the DNS
itself by firing up a lookup for a dodgy address via a mangled server. I
cannot replicate the problem but it might be worthwhile to have a look
at the communication involved by those who can

It maybe coincidental and not intentional, but who knows.

- --
Cheers,
Carlos E. R.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQFGMQT5tTMYHG2NR9URAt+zAKCG9dRXobtrsD3thFPf37dc0jPFigCeLpC0
cHp4Pq0RZPaVTl5gJI1UeLE=
=Zhq/
-----END PGP SIGNATURE-----

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

Relevant Pages

  • Re: Windows 2003 SP1 AD DC DNS fails to resolve multihomed A record using Forwarder
    ... We have multiple forwarders listed and only ... Isn't Windows 2003 ... IP addresses listed in DNS so that we can use round robin; ... These servers also forward queries to the ISP DNS servers. ...
    (microsoft.public.windows.server.dns)
  • Re: sys vol check
    ... instead of the local DNS server and two ISP DNS servers. ... I need to configure the DHCP to use all three internal DNS servers ... If DNS zones are AD Integrated are writtable. ...
    (microsoft.public.windows.server.active_directory)
  • Re: slow DNS response time
    ... > I removed the forwarders, thus using our Windows 2003 DNS servers to ...
    (microsoft.public.win2000.dns)
  • Re: sys vol check
    ... You've 3 DC DNS servers one in each Site with different subnets. ... You've A forward lookup Zone named CORP.DLECINC.COM and a reverse lookup ... The clients should use only their local DNSserver in ther NIC ...
    (microsoft.public.windows.server.active_directory)
  • Re: Win2k3 and Slow Logons
    ... > various DNS settings from the server and my router set up. ... for internal DNS servers, but it must NOT be listed on any ... >>>>bad world of the Internet. ...
    (microsoft.public.windows.server.dns)