Query (cache) denied

Hi,

I have a domain that is currently dormant and deactivated in webmin. I may need the domain in the future but at the moment I’m not using it.

When I look at my /var/log/messages I can see several of these messages:

web named[629]: client 173.194.89.50#49242: query (cache) ‘domain.com/MX/IN’ denied
web named[629]: client 173.194.89.50#47332: query (cache) ‘domain.com/MX/IN’ denied
web named[629]: client 173.194.89.51#33477: query (cache) ‘domain.com/MX/IN’ denied
web named[629]: client 173.194.89.50#42694: query (cache) ‘domain.com/MX/IN’ denied
web named[629]: client 173.194.89.52#63749: query (cache) ‘domain.com/MX/IN’ denied
web named[629]: client 173.194.89.51#48398: query (cache) ‘domain.com/MX/IN’ denied
web named[629]: client 74.125.73.67#44260: query (cache) ‘domain.com/AAAA/IN’ denied
web named[629]: client 74.125.73.78#40701: query (cache) ‘domain.com/A/IN’ denied
web named[629]: client 74.125.181.31#54484: query (cache) ‘domain.com/AAAA/IN’ denied
web named[629]: client 74.125.47.130#44043: query (cache) ‘domain.com/A/IN’ denied
web named[629]: client 74.125.47.139#34030: query (cache) ‘domain.com/A/IN’ denied
web named[629]: client 74.125.73.71#64377: query (cache) ‘domain.com/AAAA/IN’ denied
web named[629]: client 74.125.181.1#46507: query (cache) ‘domain.com/AAAA/IN’ denied
web named[629]: client 74.125.47.136#52038: query (cache) ‘domain.com/A/IN’ denied
web named[629]: client 74.125.47.142#63897: query (cache) ‘domain.com/A/IN’ denied
web named[629]: client 74.125.181.194#35587: query (cache) ‘domain.com/AAAA/IN’ denied
web named[629]: client 74.125.73.66#54147: query (cache) ‘domain.com/AAAA/IN’ denied
web named[629]: client 74.125.181.193#39397: query (cache) ‘domain.com/A/IN’ denied

Looking at the ip addresses some of them are from Google, so I’m sure they’re trying to reach my site which is of course unreachable.
What’s the best way to stop these requests?

Can something be done server side?
I would prefer this if possible.

Or do I need to tell my domain registrar to point the DNS somewhere else, and if so where?

Thank you.

Hi, has anyne had time to look at this?

Thanks

This is all from recursive queries. To be sure this is from recursive queries do next - open your named.conf and insert “allow-recursion { any; };” so it should look something like this:

options {

—a lot of stuff—

allow-recursion { any; };
};
After that restart named and see if you stop getting those messages. If the answer is yes then delete the line with “allow-recursion { any; };” and add in named.conf (in case you already have some of the lines there change it as i posted here):

acl “trusted” {
localhost;
localnets;
};

options {

—a lot of stuff—

version "unknown";
allow-transfer { trusted; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
recursion no;
additional-from-cache no;
allow-query { any; };

};

In case this solution doesnt work DO NOT! leave “allow-recursion { any; }” in your named.conf or the damage could be great and your server can be used to amplify DDoS attacks. But dont worry to have it for a short time until you check your logs it should be fine.

Of course once you implement the changes keep an eye to your logs to see if there will be any problems. Dont forget for the changes to take effect you must restart named each time you make some changes.

PLEASE BEFORE ANYTHING SAVE YOUR NAMED.CONF ON YOUR LOCAL PC!!!

For anyone else looking, I solved this by:

(1) for my unused site, changing the DNS settings with the domain registrar to point it to their servers.

(2) for the DNS DDOS attacks, I turned off recursion in BIND and then activated the DNS fail2ban jails, as described here:

http://talk.plesk.com/threads/dns-recurcion-problem-or-attack.312799/