• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue multiple named errors in var/log/messages

C

ChrisScottUK

New Pleskian
I am getting lots of these entries in /var/log/messages:

named[5906]: client 137.74.157.204#44396 (ntp.ubuntu.com): query (cache) 'ntp.ubuntu.com/A/IN' denied
named[5906]: client 137.74.157.204#44396 (ntp.ubuntu.com): query (cache) 'ntp.ubuntu.com/AAAA/IN' denied

I'm getting them every second.

What do they mean?
 
Hi ChrisScottUK,

Who is an owner of a server with IP-address 137.74.157.204? You?
The same question about "ntp.ubuntu.com", who is an owner of this domain? You? (I think "no")

If you an owner of the server with the IP-address, check recursive permission in named.conf.
If you are not an owner of the server with the IP-address, just ignore this messages. Somebody tries to use your server as public DNS, queries were denied, it is ok.
 
Hello,

I have the same issue through all my plesk servers, if you check the /var/log/syslog:

Apr 11 10:34:02 dv2 named[2648]: client 194.132.32.23#23704: query (cache) 'ns23.domain.Org/AAAA/IN' denied
Apr 11 10:34:02 dv2 named[2648]: client 194.132.32.23#21767: query (cache) 'NS16.domain.ORg/AAAA/IN' denied
Apr 11 10:34:02 dv2 named[2648]: client 194.132.32.23#29179: query (cache) 'nS1.domain.oRG/AAAA/IN' denied
Apr 11 10:34:02 dv2 named[2648]: client 194.132.32.23#15794: query (cache) 'Ns7.domain.Org/AAAA/IN' denied
Apr 11 10:34:02 dv2 named[2648]: client 194.132.32.23#40371: query (cache) 'Ns31.domain.OrG/AAAA/IN' denied
Apr 11 10:34:02 dv2 named[2648]: client 194.132.32.23#52712: query (cache) 'nS31.domain.orG/AAAA/IN' denied
Apr 11 10:34:02 dv2 named[2648]: client 194.132.32.23#51004: query (cache) 'NS7.domain.Org/AAAA/IN' denied

So, if I see the file /etc/named.conf in Plesk:

// $Id: named.conf,v 1.1.1.1 2001/10/15 07:44:36 kap Exp $


// -- THE FOLLOWING LINES WERE GENERATED BY PLESK. IF YOU MODIFY THEM, THEY WILL BE OVERWRITTEN WHEN THESE SETTINGS ARE MANAGED IN PLESK UI. --

options {

allow-recursion {

localnets;

};
(...)

Questions: Why allow recursion to localnets? It is possible to change this? It is safe for the server to change this? How can I change this permanently?

Thank you
 
Hi AYamshanov,

Thanks a lot for your answer. I changed from localnets to localhost in some servers but I still receive petitions form those servers in another servers:

Apr 12 11:37:20 dv32 named[3978]: client 77.75.74.82#54844 (ns31.domain.org): query (cache) 'ns31.domain.org/AAAA/IN' denied
Apr 12 11:37:49 dv32 named[3978]: client 45.63.65.147#34395 (ns31.domain.org): query (cache) 'ns31.domain.org/AAAA/IN' denied
Apr 12 11:38:29 dv32 named[3978]: client 66.220.151.252#58489 (ns31.domain.org): query (cache) 'ns31.domain.org/AAAA/IN' denied
Apr 12 11:38:30 dv32 named[3978]: client 66.220.151.252#38302 (ns31.domain.org): query (cache) 'ns31.domain.org/AAAA/IN' denied

I don't know if I have to wait for the changes or if someone have a clue about this...
 
AYamshanov said:
If you are not an owner of the server with the IP-address, just ignore this messages. Somebody tries to use your server as public DNS, queries were denied, it is ok.
Click to expand...

If I understood correctly, you are not an owner of the servers with IP-addresses 77.75.74.82, 45.63.65.147, 66.220.151.252 and so on; all query requests were denied and it is ok. Just ignore these messages.
 
Hello,

Yest, I am not the owner of that IPs or servers but there are thousands of queries that are denied but I don't know how to stop that...
 
This appears to be a DDoS attack via DNS. Look at the different capitalization of the ".org" in the requests. This is not a normal DNS request behavior. These requests do not make sense and are likely sent on purpose to create a flood of requests to take the server down.
 
Dear Peter,

Thanks for your replay. Can I stop the queries with plesk firewall or something like that? My servers only use google DNS but there is so many strange queries...

Also it is strange why a server receive so many queries from other servers...
 
Mixed-case DNS queries are in fact common, they are using a new DNS security mechanism, "0x20 Bit encoding":
draft-vixie-dnsext-dns0x20-00 - Use of Bit 0x20 in DNS Labels to Improve Transaction Identity
Use of Mixed Case DNS Queries - SANS Internet Storm Center

So it simply looks like somebody is trying to do recursive queries on your DNS server and your server informs you, that it has denied those queries. So in my opinion it's nothing to worry about. We see those kind of queries on all our DNS servers.
 
Thank you very much for your replay. As there are thousand of queries I was worried because there is traffic consumed...
 
DNS traffic has quite a low volume. Most DNS queries are smaller than 512 bytes and BIND is able to handle thousands of queries per second without causing issues with your CPU resources. So a couple of denied queries will usually not have any impact on your server's performance.
 
You must log in or register to reply here.

Similar threads

S
Issue bind9 - Accepting TCP connection failed: invalid file
Replies
0
Views
355
SeBoOne
S
tethis IT
Resolved Loads of messages "named[...]: network unreachable resolving '...': 2001:7fe::53#53"
Replies
2
Views
7K
Alban Staehli
A
C
Issue New Configuration not created
Replies
3
Views
371
Peter Debik
P
C
Issue DKIM and SPF do not align with RFC5322. Then DMARC result is fail.
Replies
2
Views
745
cmartinez127
C
M
Question Log Browser - lot of client [ip]#53 "sl": query (cache) 'sl/ANY/IN' denied
Replies
14
Views
2K
LevelupMedia
L
Back
Top