# BIND 9 logging error



## afesnet (Nov 23, 2014)

I need assistance in determining cause for log entries/BIND responses that don't make sense. I'm running BIND 9.8.7 on FreeBSD 8.4. Here is the pertinent part of named.conf:  (no recursion)

```
acl "trusted" {
        xxx.xxx.xxx.xxx/xx;
        (various other networks considered local)
       localhost;
        localnets;
};
options {
        directory "/etc/namedb";
        allow-query { any; };
        allow-recursion { trusted; };
```

Appears, the below log entry, repeated many, many times, various IPs, many repeated, ALL are null routed.


```
/var/log/messages:Nov 23 10:33:06 auth named[7025]: client 195.138.80.56#44324: error sending response: network unreachable  (repeated many times)
```


```
Host# netstat -n -r | grep "195.138"
195.138.64.0/19    127.0.0.1          URS         0      439    lo0
```
I have thousands of null routes (network rejects) blocking most of Eastern Europe, Russia and Asia as spam and intrusion protection.

Question is: how do I determine the source of the query to named that elicits a response by named to a null address? We know the query didn't come from the address in question, recursion is off, tested properly, and the `netstat` result shows the `ifconfig` is also proper.


```
host# ping 195.138.80.56
PING 195.138.80.56 (195.138.80.56): 56 data bytes
ping: sendto: Network is unreachable
```

I suspect a client's system is compromised and the query is originating from withing the local network(s) which are in the ACL trusted, but why and how the response to a foreign IP known for abuse?


----------



## SirDice (Nov 24, 2014)

Set your allow-query to trusted too. There's a lot of DNS DDoS amplification going on. You also want to limit allow-query-cache. No point in trying to block them with a firewall as the queries have all been spoofed.

http://labs.opendns.com/2014/03/17/dns-amplification-attacks/

To keep an eye on things you could enable query logging. That should keep you in the loop. Look for weird requests like <random characters>.somepoor.sods.tld.


----------

