Problem with DNS Resolution after blocking datacenter IPs

SYSTEM INFORMATION
OS type and version Redhat 9.4
Virtualmin version 7.20.2

Hi guys/girls,

So I was getting some very high amount of requests to Apache, which lead it to always reach its MaxWorkers settings, which in turn kept crashing it and bringing all the websites down. I couldn’t figure out which domain was the culprit (well I found a few - judging by the sizes of the access logs for them and last modified time), but the IPs were just too many to go through the logs.

I tried implementing a few rules with iptables in hopes to block the heavy traffic:

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 3/s -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m limit --limit 3/s -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 80 -m length --length 0 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 443 -m length --length 0 -j DROP

but Apache still kept crashing, so I decided on ultimate measure to block all datacenter IPs.

However, this leads to new problem, which I am unable to track down.

Aug 25 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53
Aug 25 04:11:57 host named[449335]: running
Aug 25 04:11:57 host named[449335]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './NS/IN': 2001:500:1::53#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2801:1b8:10::b#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './NS/IN': 2801:1b8:10::b#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './NS/IN': 2001:dc3::35#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './NS/IN': 2001:7fe::53#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:2d::d#53
Aug 25 04:11:57 host named[449335]: network unreachable resolving './NS/IN': 2001:500:2d::d#53
Aug 25 04:11:57 host named[449335]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Aug 25 04:11:57 host named[449335]: resolver priming query complete
Aug 26 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
Aug 26 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2801:1b8:10::b#53
Aug 26 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Aug 26 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53
Aug 26 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
Aug 26 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Aug 26 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:2d::d#53
Aug 26 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
Aug 26 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
Aug 26 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Aug 26 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
Aug 26 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
Aug 26 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
Aug 26 04:08:17 host named[449335]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Aug 26 04:11:57 host named[449335]: _default: sending trust-anchor-telemetry query '_ta-4f66/NULL'
Aug 26 04:11:57 host named[449335]: network unreachable resolving '_ta-4f66/NULL/IN': 2001:500:1::53#53
Aug 26 04:11:57 host named[449335]: network unreachable resolving '_ta-4f66/NULL/IN': 2001:500:9f::42#53
Aug 26 04:11:57 host named[449335]: network unreachable resolving '_ta-4f66/NULL/IN': 2001:500:2d::d#53
Aug 26 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Aug 26 04:11:57 host named[449335]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Aug 27 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Aug 27 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2801:1b8:10::b#53
Aug 27 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
Aug 27 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
Aug 27 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
Aug 27 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53
Aug 27 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
Aug 27 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
Aug 27 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Aug 27 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Aug 27 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
Aug 27 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
Aug 27 04:08:17 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:500:2d::d#53
Aug 27 04:08:17 host named[449335]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Aug 27 04:11:57 host named[449335]: _default: sending trust-anchor-telemetry query '_ta-4f66/NULL'
Aug 27 04:11:57 host named[449335]: network unreachable resolving '_ta-4f66/NULL/IN': 2001:7fe::53#53
Aug 27 04:11:57 host named[449335]: network unreachable resolving '_ta-4f66/NULL/IN': 2001:7fd::1#53
Aug 27 04:11:57 host named[449335]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
Aug 27 04:11:57 host named[449335]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Aug 27 04:15:17 host systemd[1]: systemd-hostnamed.service: Deactivated successfully.

The above is a log from: “cat /var/log/messages | grep named” .

BIND is unable to connect to some IPv6 servers and is throwing errors. HOWEVER, the server itself doesn’t have IPv6 and if I remove the datacenter blocks, it will not print these messages.

The other issue connected to this is that I am unable to access any of the domains hosted on the server with my home network - if I connect through VPN or mobile internet however - it works just fine. Also from this network, I can connect to the server to the IP. I checked my IP range, it isn’t in the blocklist. 89.106.XX.XX

GitHub - jhassine/server-ip-addresses: Daily updated list of IP addresses / CIDR blocks used by data centers, cloud service providers, servers, etc. - this is the blocklist I am using.
I have all the CIDRs, blocked with ip route add blackhole subnet.

A dummy site on the server is: https://camerite.eu . IntoDNS.com also reports no faults and nslookup +trace fails on my network. I can’t pinpoint the reason why this could be failing on my network and working on the mobile network.

I am using as DNS 8.8.8.8 and 8.8.4.4 . All other internet works fine.

Only post one issue at a time, split the issues into separate posts.

The issue is the same. I just explained all the investigation I did.

sounds like your home IP is being blocked by fail2ban - just check the ip hasn’t been jailed.

home networks - notorious + problematic

Sorry I forgot to mention an important detail - I can access the server through its IP, so only DNS traffic is not working from my home network with blackhole applied.