» »

Veliko DNS requestov za "." v log fajlu.

Veliko DNS requestov za "." v log fajlu.

HotBurek ::

Dobro jutro.

Danes sem opazil veliko (več kot pred tedni) requestov na DNS strežnik za "." record.

Ne vem kaj to probavajo; iščejo root serverje, ali pa preverjajo, če dela rekurzija. Te nimam omogočene.

Tko, v vednost. Če ima še kdo dns strežnik in podobna opažanja.

01-Apr-2021 21:27:36.059 queries: info: client 35.141.59.247#13177 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:36.060 queries: info: client 35.141.59.247#13177 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:36.060 queries: info: client 35.141.59.247#13177 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:36.060 queries: info: client 35.141.59.247#13177 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:36.060 queries: info: client 35.141.59.247#13177 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:39.602 queries: info: client 173.31.249.214#52899 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:39.603 queries: info: client 173.31.249.214#52899 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:39.603 queries: info: client 173.31.249.214#52899 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:39.603 queries: info: client 173.31.249.214#52899 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:39.603 queries: info: client 173.31.249.214#52899 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:43.716 queries: info: client 87.155.3.81#22575 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:43.716 queries: info: client 87.155.3.81#22575 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:43.716 queries: info: client 87.155.3.81#22575 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:43.716 queries: info: client 87.155.3.81#22575 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:43.716 queries: info: client 87.155.3.81#22575 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:45.713 queries: info: client 95.216.234.245#23061 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:45.713 queries: info: client 95.216.234.245#23061 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:47.565 queries: info: client 47.36.111.131#42744 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:47.565 queries: info: client 47.36.111.131#42744 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:47.565 queries: info: client 47.36.111.131#42744 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:47.565 queries: info: client 47.36.111.131#42744 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:47.565 queries: info: client 47.36.111.131#42744 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:52.748 queries: info: client 95.216.234.245#13641 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:52.748 queries: info: client 95.216.234.245#13641 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:52.748 queries: info: client 95.216.234.245#13641 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:52.748 queries: info: client 95.216.234.245#13641 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.639 queries: info: client 176.25.198.125#35904 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.640 queries: info: client 176.25.198.125#35904 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.640 queries: info: client 176.25.198.125#35904 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.640 queries: info: client 176.25.198.125#35904 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.640 queries: info: client 176.25.198.125#35904 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.650 queries: info: client 176.25.198.125#20726 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.650 queries: info: client 176.25.198.125#20726 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.650 queries: info: client 176.25.198.125#20726 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.650 queries: info: client 176.25.198.125#20726 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.650 queries: info: client 176.25.198.125#20726 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.988 queries: info: client 176.25.198.125#43822 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.988 queries: info: client 176.25.198.125#43822 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.988 queries: info: client 176.25.198.125#43822 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.988 queries: info: client 176.25.198.125#43822 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:54.988 queries: info: client 176.25.198.125#43822 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:56.618 queries: info: client 193.110.40.32#35366 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:56.618 queries: info: client 193.110.40.32#35366 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:56.618 queries: info: client 193.110.40.32#35366 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:27:56.618 queries: info: client 193.110.40.32#35366 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:28:02.532 queries: info: client 87.155.3.81#34852 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:28:02.532 queries: info: client 87.155.3.81#34852 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:28:02.532 queries: info: client 87.155.3.81#34852 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:28:02.532 queries: info: client 87.155.3.81#34852 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:28:02.532 queries: info: client 87.155.3.81#34852 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:28:03.869 queries: info: client 24.151.19.49#26179 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:28:03.869 queries: info: client 24.151.19.49#26179 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:28:03.869 queries: info: client 24.151.19.49#26179 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:28:03.869 queries: info: client 24.151.19.49#26179 (.): query: . IN ANY +E(0) (BIND9 server)
01-Apr-2021 21:28:03.869 queries: info: client 24.151.19.49#26179 (.): query: . IN ANY +E(0) (BIND9 server)
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window

HotBurek ::

Evo, še tehniška rešitev, za nftables.

# Drop requests to DNS for "." domain
#meta l4proto {udp} @th,160,8 0x00 counter log prefix "nftables.log input dns" drop;
meta l4proto {udp} @th,160,8 0x00 drop;


base,offset,length

@th je (v zgornjem primeru UDP) header
160 je koliko bit-ov od začetka (udp) headerja začne brat
8 je dolžina prebranih bitov

0x ziher neki označuje, mogoče da gre za bajte, hex... a to nea vem toti moment
00 je vrednost za "." domeno (to se da preverit npr. z wireshark-om)

Naslednji korak bi bil, da bi explicitno omogočil tiste domene, katere bi želel, ostalo pa lepo dr.drop.

Iskalni niz: nftables RAW PAYLOAD EXPRESSION

Relacijski vir: https://serverfault.com/questions/99896...
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window

Zgodovina sprememb…

  • spremenilo: HotBurek ()

SeMiNeSanja ::

Če se že greš, se menda ne boš ubadal z 0x00 na nekem mestu v requestu?

Dovoliš legitimne domene, VSE ostalo pa potem dropneš, brez da bi analiziral na kerem mestu se nahaja kateri character.
Pričujoče sporočilo je (lahko) oglasno sporočilo
- četudi na prvi pogled ni prepoznavno kot tako.
(Zdaj me pa obtožite prikritega oglaševanja, če morete!)

HotBurek ::

Sej to sem tudi naredil.

V BIND-u dovolim samo hostane domene, ostalo ne gre naprej (recursion requested but not available).

Ampak BIND vse to logira v fajl.

Da pa request za "." ne pride niti do BIND-a, sem pa na firewall-u (nftables) dodal pravilo, da takšen request dropne. In potem ne pride do BIND-a, prav tako ne v log file.

Sicer nftables omogoča zapis v log file (sem dal v komentar), a tega nimam vključenega.


Je pa zanimivo, če ustavim service nftables, traja le nekaj sekund, in spet sekajo s temi "." requesti. Ne vem, od kod je to prišlo in zakaj so se tolko spravili na ta server.
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window

Zgodovina sprememb…

  • spremenilo: HotBurek ()

pegasus ::

Motijo te vrstice v logu in zato dodaš firewall rule? Je to prvoaprilska šala? :D

c3p0 ::

Skenirajo vse živo, zdaj tudi SSH na visokem portu sčasoma najdejo.

Da bi pa logiral vse bind requeste, ni potrebe.

SeMiNeSanja ::

c3p0 je izjavil:

Skenirajo vse živo, zdaj tudi SSH na visokem portu sčasoma najdejo.

Da bi pa logiral vse bind requeste, ni potrebe.

Res je, zadnje čase je nek Censys prav siten s svojim skeniranjem.. Ga vsake toliko zalotim, ko mi tipa SFTP port.

Drugače pa dejansko ne vem v čem je smisel, da logiraš prav vsak DNS query. Jaz logiram zgolj tiste query-je, ki so na nek način kršili "pravila igre".

Druga zgodba je, če ti nekaj ne dela kot bi moralo in vklopiš 'debug mode', da bi zbral čim več informacij za lažje reševanje problema.

Že res, da so diski danes poceni, pa da ni noben problem shraniti prav vsako podrobnost.
Se je pa treba zavedati, da ti taka gora podatkov potem otežuje iskanje relevantnih podatkov. Vsaka poizvedba bo trajala dlje, ker bo treba prevaliti bistveno večjo kopico podatkov. Če so to nepomembni podatki, bo poizvedovanje čisto po nepotrebnem upočasnjeno.
Pričujoče sporočilo je (lahko) oglasno sporočilo
- četudi na prvi pogled ni prepoznavno kot tako.
(Zdaj me pa obtožite prikritega oglaševanja, če morete!)

xandros ::

>ne vem v čem je smisel
ATT&CKing with DNS

>taka gora podatkov potem otežuje iskanje
ELK, Splunk, Loki/grafana,.....

HotBurek ::

Motijo te vrstice v logu in zato dodaš firewall rule?

Tako je. Iz učeraj na danes se je log fajl zmanjšal za 100x. In vse te "." solate ni več notri.

A pol se je rodila misija, da takšne requeste firewal drop-ne, ker gre za neke vrste "napad" ali pa izkoriščanje.

Jaz logiram zgolj tiste query-je, ki so na nek način kršili "pravila igre".

Se ne spomnem za nazaj, a zdi se mi, da sem to že iskal in nisem našel rešitve za tak način logiranja. Za BIND.

Trenutni config:
logging {
        channel querylog {
                file "/var/log/bind/query.log";
                severity info;
                print-category yes;
                print-time yes;
                print-severity yes;
        };
        category queries {
                querylog;
        };
}


Pa še popravjlen nftables rul, ki upošteva destination IP (35=53, hex=dec):
# Drop requests to DNS for "." domain on port 53
meta l4proto udp @th,160,8 0x00 @th,16,16 0x0035 drop;
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window

Zgodovina sprememb…

  • spremenilo: HotBurek ()


Vredno ogleda ...

TemaSporočilaOglediZadnje sporočilo
TemaSporočilaOglediZadnje sporočilo
»

Kako razbrati minidump fajl ?

Oddelek: Pomoč in nasveti
81930 (1737) Jst
»

Linux - konfiguracija domene

Oddelek: Omrežja in internet
221781 (1562) EagerWolf
»

Quake III - Rail problem

Oddelek: Igre
341889 (1427) bf4ed
»

Revers DNS

Oddelek: Omrežja in internet
101434 (1179) BLaCkEnED
»

Anemanje filma v quaki

Oddelek: Igre
71019 (926) CWIZO

Več podobnih tem