Being self taught in a piddle not a production environment there are many empty spots in my knowledge base. I have used webmin/virtualmin for 5 years.
I noticed my new server was getting thousands of lines in /var/log/syslog with:
named[855]: client : query (cache) A/AAAA/HTTPS/IN’ denied
My DNS is handled at my registrar (NameSilo) and all my records resolve correctly.
my bind setting in Webmin > Bind > Global address and topology options
Allow recursive queries from Listed 127.0.0.1 as suggested by JamieCameron in an old post
allow-recursion {
127.0.0.1;
};
shows up in named.conf.options
DNS Domain is turned off at “Features and Plugins” per server
to stop it i turned off bind in Webmin > System > Bootup and Shutdown:
named
named.service
named-resolvconf.service has always been off
Coincidently viewdns.info Reverse IP showes these domains on my server that are not mine.
viewdns.info Reverse IP results for 104.225.221.236 (my ip} (I removed the domains I am hosting)
none of these domains resolve to my ip or to any dns records. IP history shows they were all on my ip a couple of years ago. I got this server with a single ip a month ago.
So when the named lines appear these domains are used, exclusively at first and if I let it run many more domains from many ip’s are added.
I am migrating some sights from ubuntu 20.04 / Webmin 2.013 / Virtualmin 7.5 with bind enabled that does not have that problem.
Seems like this ip was used by some bad actors and maybe they just have the ip in their scripts. I don’t know how to clean it up and I don’t like not being able to turn on bind even though I don’t use it as authoritative server or name server. I also don’t feel good about having the ip at all. It just seems risky.
I’m not sure I understand where you are seeing DDoS amplification happening? I only see denied messages in your log entries above. Am I missing something?
probably I am. I thought a steady stream of query (cache) denials was an indication of that. they come about 10 a second and don’t stop. What does that indicate?
If it’s all for the same domain or same few domains, it probably means somebody else used to have a DNS server on your IP and their glue records are still pointing at it.
Not much you can do about it, except deny those requests.
You can check:
whois noworriestrader.com |grep -i "name server"
Which results in:
whois noworriestrader.com |grep -i "name server"
Name Server: ns1.artemispost.com
Name Server: ns2.artemispost.com
Which is the next request, which tells me that these two domains are related, and that it probably is the situation I described with glue records. There isn’t a lot you can do. You could try reaching out to the owner of that domain and ask them to fix or delete their glue records. If they’ve given up on their sites, presumably they’ll let the domains lapse at some point, and you’ll be free of the noise.
You could also put up your own sites on those domains, because you control them until the owner changes the glue records. Free traffic! Would probably motivate them to fix their nonsense, if they do still care about it.
Yes that is my ip.
all of these domains show up in viewdns-info on my ip. Their ip history showes they were on that ip 2 yrs ago. The log entries start with those domains and keep increasing with more ips on different domains and just keep running until I stop bind. If I start bind again it starts with the same domains, increasing ip’s on those domains and more domains, ns domains and ip’s untill I stop bind.
|artemispost.com
|dietkungfu.com
|mcrider.xyz
|noworriestrader.com
Whois gives more info. I don’t know if these privacy id emails get delivered to anyone or not. If not, you might complain to the registrar that these are stale entries. The one is good till 2028.
Even if these sites have links from other sites I’m surprised by the number of entries you are seeing though.
OK, and? These requests in the log are all being denied, yes?
If you don’t host DNS locally, you can, of course turn off BIND and never turn it on again. (You may need to alter your resolv.conf settings, in that case, but that’s no big deal.)
yes whois and digg shows no dns records for any of them. The sites aren’t live
shows no dns for ns1.artemispost.com or ns2.artemispost.com
literally hundreds of domains and nameservers. I haven’t found one to resolve yet.
how about asking your VPS provider to give you a new IP if everything bad is tied to the current IP (if that’s easy and free to do) ? Or as already posted, just turn off bind.
there aren’t as many domains as I thought. there are lots of different ip’s. I scraped a file in excel and pulled 3000 lines ran in 30mins with about 200 unique ip’s. So it’s a previous ip owner playing with scripts I guess. I don’t really get the end game. It’s not affecting my cpu or memory. I probably could have just sent them to their own log and forgot about it, but it sort of freaked me out and I’ll be happier to just not have that ip.
At worst it’s probably some script kiddy thinking he’s doing damage. But if these are coming from different IP’s then they may be legit domain lookups. That’s curious that sites this popular would go dark though. Maybe these were scam sites and people are trying to get refunds? Who knows.
But, for $917 you can buy an artemispost.
Or, they could be machines that are ransomeware infected trying to phone home? They go through progressions because domains get shut down. I’ve watched this in real time from the inside on a network once. Had to track down the infected machine.
What bad thing do y’all believe is happening here? I feel like I’m taking crazy pills. The requests are being denied! Nothing is going wrong. Everything is going according to plan.
This is literally nothing to worry about. It is the least worrying log entries you will ever see on a server on the internet.
These are not “attacks”, these are not DDoS requests. These are just DNS requests for a DNS server that no longer exists. It is not script kiddies. Nobody is intentionally doing anything. You are seeing the result of laziness or incompetence, but it is completely harmless.
Good to know. Not already knowing it seemed very invasive. The takeaway here is I have done a lot more reading about DNS, BIND, reading logs and security. Every time I set up Virtualmin I get the process a little smoother and maybe more correct.
Thanks all for your help.
This is the most plausible explanation. I wouldn’t rule out a bad actor being a past holder of that IP though. Harmless to the OP, but annoying.
This really looks like a ransom ware infected machine trying to phone home and complete the lock. A well funded bad actor could be snapping up legit looking domains (freshly expired) instead of the obvious random script generated domains that are a little easier to spot as suspicous. A series of random xuadlq2sz.something sticks out like a sore thumb and authorities are looking out for such registries.
A day after I blocked a /23 range for a ‘science’ company doing a rotating SSH auth attack, this article came out.
I knew the name from looking it up when I did the block. My last ‘real job’ was network security for a large regional telco so maybe I tend to the paranoid side.
Yes, those requests look like they are generated by malware. But, they are not a concern or threat to the server they’re making requests of. There’s not much OP can do about them, and there’s nothing OP needs to do about them.
If OP doesn’t use local DNS, disabling BIND makes sense…and will obviously make these log entries stop. The requests will continue, but there will be nobody listening. But, they are not harmful to the server or indicative of anything going wrong. Any DNS server will get requests that it refuses to answer (assuming it is properly configured to reject illicit requests). Just like every other server on the world-facing internet will get weird looking requests.
It doesn’t make sense to panic every time you see a log entry showing a denied request, because you’re going to get hundreds or thousands of those every day, when all services are considered.
