Bind9 query (cache) 'sl/ANY/IN' denied

Hello,

i have many entrys like this in my syslog.

    19-Mar-2021 07:40:24.601 client @0x7f5d8c2445e0 154.244.190.192#8080 (sl): query (cache) 'sl/ANY/IN' denied
19-Mar-2021 07:40:24.609 client @0x7f5d8c2445e0 99.117.95.102#80 (sl): query (cache) 'sl/ANY/IN' denied
19-Mar-2021 07:40:24.616 client @0x7f5d8c235e50 73.19.51.149#3075 (sl): query (cache) 'sl/ANY/IN' denied
19-Mar-2021 07:40:24.651 client @0x7f5d8c2276c0 96.52.156.243#3658 (sl): query (cache) 'sl/ANY/IN' denied
19-Mar-2021 07:40:24.653 client @0x7f5d8c2276c0 184.101.148.232#80 (sl): query (cache) 'sl/ANY/IN' denied
19-Mar-2021 07:40:24.657 client @0x7f5d8c2276c0 89.40.105.87#20 (sl): query (cache) 'sl/ANY/IN' denied
19-Mar-2021 07:40:24.705 client @0x7f5d8c2276c0 154.244.190.192#8080 (sl): query (cache) 'sl/ANY/IN' denied
19-Mar-2021 07:40:24.723 client @0x7f5d8c1ed880 162.201.221.101#3074 (sl): query (cache) 'sl/ANY/IN' denied
19-Mar-2021 07:40:24.744 client @0x7f5d8c1ed880 154.244.190.192#8080 (sl): query (cache) 'sl/ANY/IN' denied
19-Mar-2021 07:40:24.771 client @0x7f5d8c1ed880 99.117.95.102#80 (sl): query (cache) 'sl/ANY/IN' denied
19-Mar-2021 07:40:24.775 client @0x7f5d8c1ed880 184.101.148.232#80 (sl): query (cache) 'sl/ANY/IN' denied
19-Mar-2021 07:40:24.809 client @0x7f5d8c1ed880 96.52.156.243#3658 (sl): query (cache) 'sl/ANY/IN' denied

i added the Fail2ban Filter but this won´t work for me.
Also modified my DNS Server like this and this and add the Nameserver from my Serviceprovider into the acl rule.

in the named.conf.options i added:

    allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { none; };
allow-transfer { none; };
additional-from-auth no;
additional-from-cache no;
minimal-responses yes;

But the log entries do not disappear.
Has anyone an idea to solve this?

No one an idea?

That sounds a bit like a security warning from BIND to tell you people are trying to use your DNS server as a recursive DNS server. Perhaps consult the BIND manual to see how logging can be controlled so avoid that security warning, but also bear in mind the implications of reducing security logging.

There is one important question here, is your Virtualmin server being used as DNS server for your domains?

If so, you will need to have BIND exposed on port 53. The good thing is that Virtualmin automatically sets it up so that it only serves as authorative and not recursive, meaning others can’t use your server for recursion. This is a good thing.
The log entries you see just confirm that your system can’t be exploited in a DNS amplification attack f.ex.

If you are NOT using the system as DNS server for your domains you can just firewall it off and be done with it.

1 Like

Hi,

Thank you for your explanation. Yes I wanted to use bind as a master dns server. Was irritated only because of the reports.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.