# How to protect BIND query from resolving outside network?



## Kamolpat (Jan 28, 2015)

Hi,

I use FreeBSD 8.2 do small hosting and I provide NS on my server too. I'm just and intermediate skill in BIND setting. My setting in /etc/named.conf is show setting as following:

```
options {
   directory  "/etc/namedb/working";
   pid-file  "/var/run/named/pid";
   dump-file  "/var/dump/named_dump.db";
   statistics-file "/var/stats/named.stats";
   version "mytext";
   allow-recursion {"localnets";};
   listen-on{
   202.xxx.xxx.xxx;
   202.xxx.xxx.xxx;
   202.xxx.xxx.xxx;
   202.xxx.xxx.xxx;
   };
  ; no more config for options after this
}
zone "." { type hint; file "/etc/namedb/named.root"; };
zone "localhost"  { type master; file "/etc/namedb/master/localhost-forwar
zone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-revers
zone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
....
....
....as follow FreeBSD manual online
.....then.....
zone "mydomain.com" {
  type master;
  file "/etc/namedb/mydomain.com";
  allow-transfer {202.xxx.xxx.xxx;};
};
```

Following is /var/log/messages.  In red color how can they success resolving the other hostname?  Should I do anything to reconfig in named.conf?
Thanks in advance.

```
Jan 29 01:44:06 ns1 named[60215]: host unreachable resolving '29.49.103.176.in-addr.arpa/PTR/IN': 2001:dd8:6::101#53
Jan 29 01:44:06 ns1 named[60215]: host unreachable resolving '29.49.103.176.in-addr.arpa/PTR/IN': 2001:43f8:110::10#53
Jan 29 01:44:06 ns1 named[60215]: host unreachable resolving '29.49.103.176.in-addr.arpa/PTR/IN': 2001:67c:e0::1#53
Jan 29 01:44:06 ns1 qpopper[60355]: [EMAIL]info@VANFOOD.COM[/EMAIL] at 194.63.142.101 (194.63.142.101): -ERR [AUTH] Password supplied for "[EMAIL]info@VANFOOD.COM[/EMAIL]" is incorrect.
Jan 29 01:44:08 ns1 sm-mta[60368]: t0SIi8Gd060368: [176.103.49.29] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Jan 29 01:44:18 ns1 qpopper[60404]: (v4.1.0) Servicing request from "rrcs-97-79-190-242.sw.biz.rr.com" at 97.79.190.242
Jan 29 01:44:28 ns1 sshd[60406]: User root from 203.184.128.106 not allowed because not listed in AllowUsers
Jan 29 01:44:29 ns1 qpopper[60404]: [EMAIL]results_staffing@vanfoods.com[/EMAIL] at rrcs-97-79-190-242.sw.biz.rr.com (97.79.190.242): -ERR [AUTH] Password supplied for "[EMAIL]results_staffing@vanfoods.com[/EMAIL]" is incorrect.
Jan 29 01:44:29 ns1 sshd[60405]: User root from 203.184.128.106 not allowed because not listed in AllowUsers
Jan 29 01:44:35 ns1 named[60215]: client 167.89.125.230#51518: query (cache) 'primagold.co.th/MX/IN' denied
Jan 29 01:44:37 ns1 named[60215]: client 167.89.125.251#15247: query (cache) 'mail.primagold.co.th/A/IN' denied
Jan 29 01:44:48 ns1 named[60215]: client 202.170.120.174#51515: query (cache) 'intel.com/NS/IN' denied
Jan 29 01:44:48 ns1 named[60215]: client 202.170.120.174#51515: query (cache) 'ebay.com/NS/IN' denied
Jan 29 01:44:48 ns1 named[60215]: client 202.170.120.174#51515: query (cache) 'motorola.com/NS/IN' denied
Jan 29 01:45:00 ns1 /usr/sbin/cron[60410]: (root) CMD (/usr/libexec/atrun)
Jan 29 01:45:38 ns1 named[60215]: host unreachable resolving 'ns.hbwhptt.net.cn/A/IN': 2001:dc7:1000::1#53
[COLOR=#ff0000]Jan 29 01:45:40 ns1 named[60215]: success resolving 'ns.hbwhptt.net.cn/A' (in 'hbwhptt.net.cn'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jan 29 01:45:41 ns1 named[60215]: success resolving 'ns.hbwhptt.net.cn/AAAA' (in 'hbwhptt.net.cn'?) after reducing the advertised EDNS UDP packet size to 512 octets
Jan 29 01:45:42 ns1 named[60215]: success resolving '32.206.51.58.in-addr.arpa/PTR' (in '51.58.in-addr.arpa'?) after reducing the advertised EDNS UDP packet size to 512 octets[/COLOR]
Jan 29 01:45:42 ns1 sm-mta[60412]: t0SIjgSc060412: ruleset=check_mail, arg1=<[EMAIL]xjqruiz@zozqakz.com[/EMAIL]>, relay=[58.51.206.32], reject=553 5.1.8 <[EMAIL]xjqruiz@zozqakz.com[/EMAIL]>... Domain of sender address [EMAIL]xjqruiz@zozqakz.com[/EMAIL] does not exist
Jan 29 01:45:42 ns1 sm-mta[60412]: t0SIjgSc060412: from=<[EMAIL]xjqruiz@zozqakz.com[/EMAIL]>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, relay=[58.51.206.32]
Jan 29 01:46:18 ns1 qpopper[60414]: (v4.1.0) Servicing request from "rrcs-97-79-190-242.sw.biz.rr.com" at 97.79.190.242
Jan 29 01:46:29 ns1 qpopper[60414]: [EMAIL]results_staffing@vanfoods.com[/EMAIL] at rrcs-97-79-190-242.sw.biz.rr.com (97.79.190.242): -ERR [AUTH] Password supplied for "[EMAIL]results_staffing@vanfoods.com[/EMAIL]" is incorrect.
Jan 29 01:46:33 ns1 named[60215]: client 203.146.237.51#11643: query (cache) 'primagold.co.th/MX/IN' denied
J
```


----------



## gkontos (Jan 28, 2015)

a) You need to define localnets allow-recursion {"localnets";};
b) You should upgrade to 8.4. The risk of running bind with multiple vulnerabilities is way too high.


----------



## SirDice (Jan 29, 2015)

FreeBSD 8.2 is End-of-Life since July 2012. For your safety and everyone else's please upgrade to a supported version _before_ you put this out on the internet.

I also urge you to read up on DNS amplification attacks as it looks like your server is vulnerable and currently being used as an amplifier in DDoS attacks to others.

https://www.us-cert.gov/ncas/alerts/TA13-088A

You should also look into installing security/py-fail2ban to combat the brute-force attacks on SSH and mail.


----------

