Issue multiple named errors in var/log/messages

[ChrisScottUK]

I am getting lots of these entries in /var/log/messages:

named[5906]: client 137.74.157.204#44396 (ntp.ubuntu.com): query (cache) 'ntp.ubuntu.com/A/IN' denied
named[5906]: client 137.74.157.204#44396 (ntp.ubuntu.com): query (cache) 'ntp.ubuntu.com/AAAA/IN' denied

I'm getting them every second.

What do they mean?

 

[AYamshanov]

Hi ChrisScottUK,

Who is an owner of a server with IP-address 137.74.157.204? You?
The same question about "ntp.ubuntu.com", who is an owner of this domain? You? (I think "no")

If you an owner of the server with the IP-address, check recursive permission in named.conf.
If you are not an owner of the server with the IP-address, just ignore this messages. Somebody tries to use your server as public DNS, queries were denied, it is ok.

 

[SalvadorS]

Hello,

I have the same issue through all my plesk servers, if you check the /var/log/syslog:

Apr 11 10:34:02 dv2 named[2648]: client 194.132.32.23#23704: query (cache) 'ns23.domain.Org/AAAA/IN' denied
Apr 11 10:34:02 dv2 named[2648]: client 194.132.32.23#21767: query (cache) 'NS16.domain.ORg/AAAA/IN' denied
Apr 11 10:34:02 dv2 named[2648]: client 194.132.32.23#29179: query (cache) 'nS1.domain.oRG/AAAA/IN' denied
Apr 11 10:34:02 dv2 named[2648]: client 194.132.32.23#15794: query (cache) 'Ns7.domain.Org/AAAA/IN' denied
Apr 11 10:34:02 dv2 named[2648]: client 194.132.32.23#40371: query (cache) 'Ns31.domain.OrG/AAAA/IN' denied
Apr 11 10:34:02 dv2 named[2648]: client 194.132.32.23#52712: query (cache) 'nS31.domain.orG/AAAA/IN' denied
Apr 11 10:34:02 dv2 named[2648]: client 194.132.32.23#51004: query (cache) 'NS7.domain.Org/AAAA/IN' denied

So, if I see the file /etc/named.conf in Plesk:

// $Id: named.conf,v 1.1.1.1 2001/10/15 07:44:36 kap Exp $


// -- THE FOLLOWING LINES WERE GENERATED BY PLESK. IF YOU MODIFY THEM, THEY WILL BE OVERWRITTEN WHEN THESE SETTINGS ARE MANAGED IN PLESK UI. --

options {

allow-recursion {

localnets;

};
(...)

Questions: Why allow recursion to localnets? It is possible to change this? It is safe for the server to change this? How can I change this permanently?

Thank you

 

[AYamshanov]

Hi SalvadorS,

Questions: Why allow recursion to localnets? It is possible to change this? It is safe for the server to change this? How can I change this permanently?

It is a little bit different question but I have an answer too You can change this with "Tools & Settings / General Settings / DNS Template / DNS Recursion Settings" (c) Configuring the Recursive DNS

 

[SalvadorS]

Hi AYamshanov,

Thanks a lot for your answer. I changed from localnets to localhost in some servers but I still receive petitions form those servers in another servers:

Apr 12 11:37:20 dv32 named[3978]: client 77.75.74.82#54844 (ns31.domain.org): query (cache) 'ns31.domain.org/AAAA/IN' denied
Apr 12 11:37:49 dv32 named[3978]: client 45.63.65.147#34395 (ns31.domain.org): query (cache) 'ns31.domain.org/AAAA/IN' denied
Apr 12 11:38:29 dv32 named[3978]: client 66.220.151.252#58489 (ns31.domain.org): query (cache) 'ns31.domain.org/AAAA/IN' denied
Apr 12 11:38:30 dv32 named[3978]: client 66.220.151.252#38302 (ns31.domain.org): query (cache) 'ns31.domain.org/AAAA/IN' denied

I don't know if I have to wait for the changes or if someone have a clue about this...

 

[AYamshanov]

If you are not an owner of the server with the IP-address, just ignore this messages. Somebody tries to use your server as public DNS, queries were denied, it is ok.

If I understood correctly, you are not an owner of the servers with IP-addresses 77.75.74.82, 45.63.65.147, 66.220.151.252 and so on; all query requests were denied and it is ok. Just ignore these messages.

 

[SalvadorS]

Hello,

Yest, I am not the owner of that IPs or servers but there are thousands of queries that are denied but I don't know how to stop that...

 

[AYamshanov]

Ok, I understood
Is it Ubuntu?

 

[Bitpalast]

This appears to be a DDoS attack via DNS. Look at the different capitalization of the ".org" in the requests. This is not a normal DNS request behavior. These requests do not make sense and are likely sent on purpose to create a flood of requests to take the server down.

 

[SalvadorS]

Dear Peter,

Thanks for your replay. Can I stop the queries with plesk firewall or something like that? My servers only use google DNS but there is so many strange queries...

Also it is strange why a server receive so many queries from other servers...

 

[Monty]

Mixed-case DNS queries are in fact common, they are using a new DNS security mechanism, "0x20 Bit encoding":
draft-vixie-dnsext-dns0x20-00 - Use of Bit 0x20 in DNS Labels to Improve Transaction Identity
Use of Mixed Case DNS Queries - SANS Internet Storm Center

So it simply looks like somebody is trying to do recursive queries on your DNS server and your server informs you, that it has denied those queries. So in my opinion it's nothing to worry about. We see those kind of queries on all our DNS servers.

 

[SalvadorS]

Thank you very much for your replay. As there are thousand of queries I was worried because there is traffic consumed...

 

[Monty]

DNS traffic has quite a low volume. Most DNS queries are smaller than 512 bytes and BIND is able to handle thousands of queries per second without causing issues with your CPU resources. So a couple of denied queries will usually not have any impact on your server's performance.

 

[GravuTrad]

I note this topic cause i have these type of entries too. Thanks.