Queries .domain. Attack to root server?

classic Classic list List threaded Threaded
12 messages Options
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Queries .domain. Attack to root server?

Federico87
Hi everybody,
I know that this question is not really related to powerDNS but more to DNS in general but maybe someone of you can help me with this problem.

Since last week I can see some peaks of queries on my 2 DNS servers. (you can see them on metronome with T1000 and 836.recursor names) From my graphs I saw that these queries are directly against root server a
I did sniff traffic and I saw some strange queries with .domain at the end of the name 

[...]
14:56:13.152408 IP dns.seeweb.it.domain > banana_eth0.11659: 23888*- 1/2/0 CNAME 162.160-27.194.94.85.in-addr.arpa. (119)
14:56:13.153043 IP banana_eth0.50298 > i.gtld-servers.net.domain: 53582 A? ns1.cianciolab.com. (36)
14:56:13.157826 IP tinnie.arin.net.domain > banana_eth0.40085: 46248- 0/2/0 (88)
14:56:13.158218 IP banana_eth0.44415 > ns.elion.ee.domain: 25287 PTR? 242.225.191.90.in-addr.arpa. (45)
14:56:13.177148 IP i.gtld-servers.net.domain > banana_eth0.50298: 53582- 0/2/2 (100)
14:56:13.177571 IP banana_eth0.55401 > naimi.housing-server.biz.domain: 17309 A? ns1.cianciolab.com. (36)
14:56:13.223558 IP ns.elion.ee.domain > banana_eth0.44415: 25287*- 1/0/0 PTR ns3.zonedata.net. (75)
14:56:13.224978 IP banana_eth0.62199 > puck.nether.net.domain: 31838 PTR? 36.216.61.204.in-addr.arpa. (44)
14:56:13.233555 IP naimi.housing-server.biz.domain > banana_eth0.55401: 17309*- 1/2/1 A 85.94.194.162 (100
[...]

If I do dig for one of those domains I can see that the query goes directly to root server.

root@banana:~# dig dns.seeweb.it.domain

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> dns.seeweb.it.domain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49088
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;dns.seeweb.it.domain.          IN      A

;; AUTHORITY SECTION:
.                       3600    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2015121300 1800 900 604800 86400

;; Query time: 28 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 13 15:09:19 2015
;; MSG SIZE  rcvd: 113

It seems quite odd to me but not sure if is a kind of attack to root server. Anyone has any idea/suggestion? In case, how can I block it (was thinking about and iptables filter for .domain queries)

Thanks

Federico


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Queries .domain. Attack to root server?

Stephane Bortzmeyer
On Sun, Dec 13, 2015 at 03:17:04PM +0000,
 Federico Olivieri <[hidden email]> wrote
 a message of 131 lines which said:

> I did sniff traffic and I saw some strange queries with .domain at the end
> of the name

Always use tcpdump with -n option... (hint: the last field is the
port, 53 in digits, domain in letters).

> If I do dig for one of those domains I can see that the query goes directly
> to root server.

Of course, since it searches for the .domain TLD.


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Queries .domain. Attack to root server?

Federico87
Thanks for the hint.
I wrote and iptables rule but seems not working 

iptables -I INPUT 4 -p udp -m udp --dport 53 -m string --hex-string "|06|domain" --algo bm --to 65535 -m comment --comment ".domain" -j DROP

I think that I need to specify to block all domains with .domain at the end (a kind of *.domain) Any suggestion?!

Thankyou!!!!

Federico

2015-12-13 15:41 GMT+00:00 Stephane Bortzmeyer <[hidden email]>:
On Sun, Dec 13, 2015 at 03:17:04PM +0000,
 Federico Olivieri <[hidden email]> wrote
 a message of 131 lines which said:

> I did sniff traffic and I saw some strange queries with .domain at the end
> of the name

Always use tcpdump with -n option... (hint: the last field is the
port, 53 in digits, domain in letters).

> If I do dig for one of those domains I can see that the query goes directly
> to root server.

Of course, since it searches for the .domain TLD.



_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Queries .domain. Attack to root server?

Stephane Bortzmeyer
On Sun, Dec 13, 2015 at 03:48:05PM +0000,
 Federico Olivieri <[hidden email]> wrote
 a message of 74 lines which said:

> Thanks for the hint.

You apparently did not get it.

> I wrote and iptables rule but seems not working

Completely unrelated to the problem.

> I think that I need to specify to block all domains with .domain at the end
> (a kind of *.domain)

No, no and no.

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Queries .domain. Attack to root server?

Federico87
Can you please add more details in your answers?
Thanks

2015-12-13 15:53 GMT+00:00 Stephane Bortzmeyer <[hidden email]>:
On Sun, Dec 13, 2015 at 03:48:05PM +0000,
 Federico Olivieri <[hidden email]> wrote
 a message of 74 lines which said:

> Thanks for the hint.

You apparently did not get it.

> I wrote and iptables rule but seems not working

Completely unrelated to the problem.

> I think that I need to specify to block all domains with .domain at the end
> (a kind of *.domain)

No, no and no.


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Queries .domain. Attack to root server?

Peter van Dijk
In reply to this post by Federico87
Hello Federico,

On 13 Dec 2015, at 16:17, Federico Olivieri wrote:

> It seems quite odd to me but not sure if is a kind of attack to root
> server. Anyone has any idea/suggestion? In case, how can I block it
> (was
> thinking about and iptables filter for .domain queries)

If you set root-nx-trust in your recursor.conf, the Recursor will turn
the first NXDOMAIN into a negative cache entry for the whole domain
‘TLD’, until that entry expires. This will severely reduce your
outgoing queries for names under .domain.

Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Queries .domain. Attack to root server?

Federico87
Hi Peter,

Thank you very much for your feedback, very useful! :)
I' ll  follow your indication and I'll let you know. 

Regards,

Federico


2015-12-13 15:57 GMT+00:00 Peter van Dijk <[hidden email]>:
Hello Federico,

On 13 Dec 2015, at 16:17, Federico Olivieri wrote:

It seems quite odd to me but not sure if is a kind of attack to root
server. Anyone has any idea/suggestion? In case, how can I block it (was
thinking about and iptables filter for .domain queries)

If you set root-nx-trust in your recursor.conf, the Recursor will turn the first NXDOMAIN into a negative cache entry for the whole domain ‘TLD’, until that entry expires. This will severely reduce your outgoing queries for names under .domain.

Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Queries .domain. Attack to root server?

Stephane Bortzmeyer
In reply to this post by Federico87
On Sun, Dec 13, 2015 at 03:57:17PM +0000,
 Federico Olivieri <[hidden email]> wrote
 a message of 58 lines which said:

> Can you please add more details in your answers?

There are NO requests for names ending in .domain. You do not read
correctly the output of tcpdump.

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Queries .domain. Attack to root server?

Peter van Dijk
Hello,

On 13 Dec 2015, at 17:15, Stephane Bortzmeyer wrote:

> On Sun, Dec 13, 2015 at 03:57:17PM +0000,
> Federico Olivieri <[hidden email]> wrote
> a message of 58 lines which said:
>
>> Can you please add more details in your answers?
>
> There are NO requests for names ending in .domain. You do not read
> correctly the output of tcpdump.

Stephane is right. This makes my root-mx-trust answer somewhat useless
for your question (but the explanation of how it works stands, of
course).

Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Queries .domain. Attack to root server?

Federico87
Yeap, I have enabled the feature and reloaded the conf but I can still see the problem. From metronome I can see that all answers are normal answers (none is in NXDOMAIN). From DSC graphs I can see more than 100K against root-a server just for today.

I'll try to investigate a little bit more and get more details. Thanks anyway for your time!

Federico

2015-12-13 16:42 GMT+00:00 Peter van Dijk <[hidden email]>:
Hello,


On 13 Dec 2015, at 17:15, Stephane Bortzmeyer wrote:

On Sun, Dec 13, 2015 at 03:57:17PM +0000,
Federico Olivieri <[hidden email]> wrote
a message of 58 lines which said:

Can you please add more details in your answers?

There are NO requests for names ending in .domain. You do not read
correctly the output of tcpdump.

Stephane is right. This makes my root-mx-trust answer somewhat useless for your question (but the explanation of how it works stands, of course).


Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Queries .domain. Attack to root server?

Federico87
Maybe is unrelated but I found this article about DNS attack to root server in the last days 

http://thehackernews.com/2015/12/dns-root-servers-ddos-attack.html

For me the problem started last week. Anyone noticed something similar?

Federico

2015-12-13 16:54 GMT+00:00 Federico Olivieri <[hidden email]>:
Yeap, I have enabled the feature and reloaded the conf but I can still see the problem. From metronome I can see that all answers are normal answers (none is in NXDOMAIN). From DSC graphs I can see more than 100K against root-a server just for today.

I'll try to investigate a little bit more and get more details. Thanks anyway for your time!

Federico

2015-12-13 16:42 GMT+00:00 Peter van Dijk <[hidden email]>:
Hello,


On 13 Dec 2015, at 17:15, Stephane Bortzmeyer wrote:

On Sun, Dec 13, 2015 at 03:57:17PM +0000,
Federico Olivieri <[hidden email]> wrote
a message of 58 lines which said:

Can you please add more details in your answers?

There are NO requests for names ending in .domain. You do not read
correctly the output of tcpdump.

Stephane is right. This makes my root-mx-trust answer somewhat useless for your question (but the explanation of how it works stands, of course).


Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users



_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Queries .domain. Attack to root server?

Stephane Bortzmeyer
On Sun, Dec 13, 2015 at 06:14:38PM +0000,
 Federico Olivieri <[hidden email]> wrote
 a message of 141 lines which said:

> Maybe is unrelated

Completely unrelated and, as I wrote already, there is no attack: you
just made a wrong analysis from the start.

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Loading...