ช่วงนี้มี Query DNS แปลกๆ หรือเปล่าครับ ไม่ทราบว่าผิดปกติหรือปล่าครับ

ems · August 24, 2012, 10:09am

มันมาเยอะมาก จริงๆ มีหลาย IP แต่มาแนวนนี้เยอะเลยครับ คือมัน Query . เฉยๆ DNS ของเราก็แสนซื่อ ตอบเขากลับไปทุกอันเลยว่า ไปถามที่ root server เอานะ

ไม่รู้ว่ามันผิดปกติหรือเปล่า แต่ bind Process ขึ้นสูง ไม่ทราบว่าจะพอมีวิธีอย่างไรบ้างไม่ให้ Bind ต้องตอบกลับพวกโดเมนที่ไม่ได้อยู่ใน Server เราครับ

0:05:52.869294 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869322 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869328 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869333 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869338 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869342 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869346 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869351 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869355 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869361 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869365 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869369 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869374 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869378 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869382 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869386 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869390 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869410 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869420 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869531 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869669 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869678 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869683 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869688 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.869773 IP 69.112.40.146.50358 > 122.155.7.53.53: 2047+ [1au] ANY? . (28)
10:05:52.870207 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net. (1026)
10:05:52.870240 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net. (1026)
10:05:52.870362 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net. (1026)
10:05:52.870736 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net. (1026)
10:05:52.870784 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net. (1026)
10:05:52.871243 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net. (1026)
10:05:52.871272 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net. (1026)
10:05:52.871300 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net. (1026)
10:05:52.871871 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net. (1026)
10:05:52.871916 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net. (1026)
10:05:52.871989 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net. (1026)
10:05:52.872457 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net. (1026)
10:05:52.872511 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net. (1026)
10:05:52.872810 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net. (1026)
10:05:52.873025 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net. (1026)
10:05:52.873113 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net. (1026)
10:05:52.873436 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net. (1026)
10:05:52.873583 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net. (1026)
10:05:52.873614 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net. (1026)
10:05:52.873956 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net. (1026)
10:05:52.874009 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net. (1026)
10:05:52.874154 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net. (1026)
10:05:52.874571 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net. (1026)
10:05:52.874657 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net. (1026)
10:05:52.874714 IP 122.155.7.53.53 > 69.112.40.146.50358: 2047 14/13/23 RRSIG, NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net. (1026)

apkp · August 24, 2012, 10:26am

ผมทำตามนี้นะครับ

http://csrc.nist.gov/groups/SMA/fasp/documents/network_security/NISTSecuringDNS/NISTSecuringDNS.htm

rtsp · August 24, 2012, 12:00pm

ใช้ allow-recursion แล้วใส่แค่ localhost กับ ip เครื่องเราครับ

kke · August 24, 2012, 5:11pm

allow-recursion localnets;

ems · August 25, 2012, 8:40am

ทำตามแล้ว ครับ ประเด็นไม่ได้อยู่ที่ตรงนั้นครับ ประเด็นคือเราจะไม่ตอบกลับ query นั้นเลย

หลังจากที่ทำ มันยังตอบกลับอยู่ ถ้ามันเป็นการปลอม IP มา Query เราก็ต้องตอบกลับไป ซึ่งเป็นเราเองที่ไปโจมตี ชาวบ้านโดยไม่ได้เป็นผู้ทำ

ตรงนี้ที่มัน Query มา
08:39:30.540653 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.540673 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.540799 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.540816 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.540852 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.540861 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.540889 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.540905 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.540910 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.541011 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.541023 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.541028 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.541033 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.541037 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.541042 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.541048 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)
08:39:30.541052 IP 159.253.131.54.10583 > 122.155.7.53.53: 27371+ [1au] ANY? . (28)

ตรงนี้ีที่เราตอบหลับครับ
08:39:30.541089 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.541187 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.541225 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.541321 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.541473 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.541547 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.541615 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.541720 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.541763 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.541829 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.541877 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.541910 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.541952 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.541982 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.542022 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.542098 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)
08:39:30.542146 IP 122.155.7.53.53 > 159.253.131.54.10583: 27371 Refused- 0/0/1 (28)