• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS - higi.com - Attacks on my DNS Server with random IP Addresses

Scheduled Pinned Locked Moved Firewalling
12 Posts 3 Posters 1.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    johnpoz LAYER 8 Global Moderator @carrzkiss
    last edited by johnpoz Mar 7, 2023, 11:40 AM Mar 7, 2023, 11:19 AM

    @carrzkiss Dude while ok if you want to run your authoritative NS on your network for your domain ok sure.. I wouldn't ever do it in a million years.. But you do you - but what do you think is going to happen when you run recursive dns open to the public??

    If your going to run dns for your domain(s) fine - but it shouldn't resolve anything else.. I just hit your IP asking for google - and got response..

    ;; QUESTION SECTION:
    ;www.google.com.                        IN      A
    
    ;; ANSWER SECTION:
    www.google.com.         300     IN      A       108.177.122.105
    www.google.com.         300     IN      A       108.177.122.104
    www.google.com.         300     IN      A       108.177.122.106
    www.google.com.         300     IN      A       108.177.122.147
    www.google.com.         300     IN      A       108.177.122.103
    www.google.com.         300     IN      A       108.177.122.99
    
    ;; Query time: 82 msec
    

    Your dns should only answer for the domains its authoritative for...

    edit: I see your using buddydns.com as your secondary NS for your domain.. They are not recursive, if I ask them for google.com they refuse, which is how you run an authoritative NS

    ; <<>> DiG 9.16.36 <<>> @b.ns.buddyns.com www.google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57839
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1232
    ;; QUESTION SECTION:
    ;www.google.com.                        IN      A
    

    An intelligent man is sometimes forced to be drunk to spend time with his fools
    If you get confused: Listen to the Music Play
    Please don't Chat/PM me for help, unless mod related
    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

    C 1 Reply Last reply Mar 7, 2023, 1:53 PM Reply Quote 4
    • C
      carrzkiss @johnpoz
      last edited by Mar 7, 2023, 1:53 PM

      @johnpoz Thanks.

      To be honest, I thought I had DNS Recursive disabled. I might have tested the DNS Server a while back and got sidetracked and forgot to change it.
      I have now disabled it again and will monitor it.

      I have been running my own DNS for years without issues I am aware of until now.

      Thank you both for your information and insight.
      Wayne

      G J 2 Replies Last reply Mar 7, 2023, 4:02 PM Reply Quote 0
      • G
        Gertjan @carrzkiss
        last edited by Mar 7, 2023, 4:02 PM

        @carrzkiss said in DNS - higi.com - Attacks on my DNS Server with random IP Addresses:

        without issues I am aware of

        Been there - seen that.
        And I still don't see what I ... do not see.

        I just double checked my own config (it's a bind domain master), and found :

        options { 
        ......
        	allow-query { any; };
        	recursion yes;
        .....
        };
        

        So I went OMG mode. I was 'no' in the past. But things change.
        But then, I recalled that that is actually the advised option these days with

        	allow-recursion { 127.0.0.1; ::1; };
        

        for good manners.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @carrzkiss
          last edited by Mar 7, 2023, 11:00 PM

          @carrzkiss why would you be running a 1 second TTL? That is just insane! Even for your NS records??

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          C 1 Reply Last reply Mar 8, 2023, 5:26 AM Reply Quote 0
          • C
            carrzkiss @johnpoz
            last edited by Mar 8, 2023, 5:26 AM

            @johnpoz
            I followed the information from a video on how to do the SSL from LetsEncrypt, and they set it for that.
            I set it for 1 second for testing and forgot to set it back. Has been at 1 second for a week.

            All my TTLs are 1 hour and have been since I started doing this in 2000. And has just been set back.
            The cool thing about others checking out your work is they, as long as they know what they are looking for or looking at, will catch what you might have missed or, in my case, forgotten.

            Thanks.

            G J 2 Replies Last reply Mar 8, 2023, 6:48 AM Reply Quote 0
            • G
              Gertjan @carrzkiss
              last edited by Mar 8, 2023, 6:48 AM

              @carrzkiss

              Here, an automated 'other' for you https://www.zonemaster.net/
              Your mission :

              f8e7fdff-f6a4-4177-b4d0-a0c8f7fac7dc-image.png

              After every change you make to a zone file for a domain, use this or another DNS checker.

              And when you think you're done : go for a zero fault with this one : https://dnsviz.net/

              @carrzkiss said in DNS - higi.com - Attacks on my DNS Server with random IP Addresses:

              I set it for 1 second for testing

              See https://github.com/acmesh-official/acme.sh/blob/799e402077f7430895c98d445e0d61cdec16b64a/dnsapi/dns_nsupdate.sh#L31 which is 60 seconds, and still qualifies 'insane', but that zone record added by acme.sh will only exist during verification, as it is deleted afterwards.
              The (probably) real goal is : the slave(s) have to sync the added record before verification by LE can take place. Some slaves sync up = XFER right after they receive the notification from the master. Other take 'ages' to do so'. That's why the acme.sh 'dnssleep' is needed.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator @carrzkiss
                last edited by johnpoz Mar 8, 2023, 9:47 AM Mar 8, 2023, 9:30 AM

                @carrzkiss said in DNS - higi.com - Attacks on my DNS Server with random IP Addresses:

                All my TTLs are 1 hour and have been since

                Still showing your NS as 1 second

                not.jpg

                As well as the A record for just your domain.

                Your NS records should be much higher than 1 hour anyway.. A records ok, but the NS there is no reason for them to only be an hour.

                I would do a full double check - also showing other issues.. Wrong IP in parent for your NS, etc.

                bad.jpg

                I just asked all the buddydns ns you have listed, and none of them answered for your domain. They all gave me REFUSED..

                I only show 1 of your entries for your buddy NS actually matching, and he doesn't answer for your domain

                match.jpg

                The (probably) real goal is

                Agreed, I use a sleep of 180 seconds and have no issues with using acme with cloudflare as the NS for my domains I use ACME with..

                Changing the ttl to one second, what you going to change to this every time your acme updates?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                C 1 Reply Last reply Mar 10, 2023, 11:28 PM Reply Quote 0
                • C
                  carrzkiss @johnpoz
                  last edited by Mar 10, 2023, 11:28 PM

                  @johnpoz @Gertjan
                  Thanks a lot, guys.
                  OK, so it seems that one of the domains was 3 days past due on Renewal (It just took over an hour to get it renewed because Domain.com's site is messed up, so I had to wait in chat for over an hour to chat with someone and get the domain renewed.
                  Time to find a new Domain Reservoir to go to, as domain.com has had way too many issues over the last year.)

                  BuddyNS
                  When I was working on PFSense and setting it up, the sites were unreachable for several days, so BuddyNS removed them.
                  Only one of my sites stayed, but not sure why.
                  All sites are now listed back with BuddyNS.

                  I have to wait until later tonight or tomorrow for zonemaster.com to pick up on the updated information, as it is still picking up on the domain.com's crap.

                  Once again. I would like to thank both of you for being there and helping with stuff I might have completely overlooked.
                  And in this case, the BuddyNS would have been overlooked altogether.

                  J 2 Replies Last reply Mar 11, 2023, 1:15 AM Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator @carrzkiss
                    last edited by johnpoz Mar 11, 2023, 1:25 AM Mar 11, 2023, 1:15 AM

                    @carrzkiss Don't get me wrong this sort of stuff can be invaluable in learning how to run dns and the inner workings.. But they are also examples why I would never do it..

                    I come from the age before there were world wide anycast networks with pops all over the world that will host your dns, either for "free" or for less money then it cost to power your server most likely ;) I would be hard pressed to find a reason why I would host my own public facing dns on my own infrastructure today.. Maybe you run the hidden master on your network..

                    Let the big dogs maintain all the details to be honest.. There are plenty to choose from.. Let them handle the possible dos attacks, the amplification attacks, etc.

                    They offer very advanced features of dns with a click, dnssec for example - you pretty much flip a toggle and your domain is now dnssec, etc. They have api's for some really advanced stuff, failover for services that if go down the dns will point elsewhere automagically, etc..

                    If your site is production, and needs to be up - why let something like dns bring down your site, etc. And you actually pay for it - you prob have a SLA that would be almost impossible to maintain without crazy time and effort and money putting in the requirements to maintain say even 3 or 4 9s, etc.

                    I am more than happy to help in anyway I can run your own - but I personally wouldn't do it. I don't even run my personal dns anymore for play sites.. Where I have a few users.. I did back in the early days of dnssec as a learning curve on what you had to do - the drawback then was actually finding a registrar for your domain that actually supported it, even though some time ago it became a requirement to be an accredited registrar - and still you see some that support for it is PITA to use, or just borked anyway.. And even then I didn't run it on my own connection, I ran it on some low level vpses that cost peanuts to have, I still maintain a couple of them for just test boxes for other things, just not dns any more.

                    It can be a great learning tool for sure - like some of the problems your having.. But in the big picture if actually a production something - I wouldn't do it..

                    Now local dns that is a different fish to fry, and that is where you can get all your fun with running your own dns ;) When all the headaches of public facing is no longer your concern - it works, is up and is global.. And you can just worry about your service.. Depending on what that is - that could/should more than likely be hosted by one of the big dogs as well.. Global CDNs don't down very often - and when they do, its normally not just your site ;) hehehe

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator @carrzkiss
                      last edited by johnpoz Mar 11, 2023, 10:49 AM Mar 11, 2023, 10:42 AM

                      @carrzkiss still at 1 ms TTL..

                      And your SOA expire is set below the recommended level at only 604800, rfc1912 recommends 2 weeks as the min value.

                      Your TTL in your SOA is set to 1 hour, 3600 but you prob have 1 second set on your actual records.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      12 out of 12
                      • First post
                        12/12
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received