Follows is a short exerpt of a log showing what I believe is unauthorized use of my DNS: Jul 20 18:26:07 Athelon named[21283]: client 148.160.29.10#34769: query: sanitaetshaus-haeusner.de IN A + Jul 20 18:29:16 Athelon named[21283]: client 148.160.29.6#33079: query: btu-online.de IN NS + Jul 20 18:29:19 Athelon named[21283]: client 148.160.29.10#34769: query: nabu-krefeld-viersen.de IN A + Jul 20 18:32:27 Athelon named[21283]: client 148.160.29.6#33079: query: suburbia.de IN NS + Jul 20 18:32:30 Athelon named[21283]: client 148.160.29.10#34769: query: schwarzwaldmuseum.de IN A + Jul 20 18:35:38 Athelon named[21283]: client 148.160.29.6#33079: query: laus-miller.de IN NS + Jul 20 18:35:42 Athelon named[21283]: client 148.160.29.10#34769: query: more-db.de IN A + Jul 20 18:36:48 Athelon named[21283]: client 65.110.190.249#11111: query: ircchat.terra.cl IN A - I do not have any reason for these addresses to be querying my DNS except possibly as part of an attempt by them to breach security, if not on my system, then to bypass security on their own network using my system to provide them probing or other access they otherwise wouldn't have. If they were asking for information about *my* systems, for instance, about mail or www, that would be legimitate querying of my server from any external site, but for those same sites to request information that requires that I query overseas is very suspicious. My question is how can I limit what external sites can query, ie, *I* or my network machines may need to lookup any of those same queries (though I can't see why at the moment), but external sites have no business doing so. External sites *may* have legitimate reasons to look up certain public addresses like mail or www or similar information so I can't just shut off port 53 to outsiders. I remember once upon a time reading about this problem and a solution, but now, for the life of me, I can't find it. Any Ideas? Thanks, Richard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi, Richard Creighton schrieb:
My question is how can I limit what external sites can query, ie, *I* or my network machines may need to lookup any of those same queries (though I can't see why at the moment), but external sites have no business doing so. External sites *may* have legitimate reasons to look up certain public addresses like mail or www or similar information so I can't just shut off port 53 to outsiders. I remember once upon a time reading about this problem and a solution, but now, for the life of me, I can't find it. Any Ideas?
Access to use your DNS server for recursive queries is controlled in your named.conf in section options. Especially I have for example: allow-query { ::1/128; 127.0.0.1; localnets; }; recursion yes; Which means that only localhost and "localnets" are allowed to use your DNS server to resolve any fqdn. Access to your own local zones is granted in the respective zone section where you may want to define: allow-query { any; }; if your hosts should be reachable externally. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Rosenauer wrote: <snip>
Access to use your DNS server for recursive queries is controlled in your named.conf in section options.
Especially I have for example: allow-query { ::1/128; 127.0.0.1; localnets; }; recursion yes;
Which means that only localhost and "localnets" are allowed to use your DNS server to resolve any fqdn.
Access to your own local zones is granted in the respective zone section where you may want to define: allow-query { any; }; if your hosts should be reachable externally.
Wolfgang
Thank you Wolfgang....now another stupid question for you if you don't mind too much please. I can't see where in the YAST program this can be done .... other perhaps in the sysconfig editor, but if in there, where? If not, I'll head out into 'vi' land but I hate modifying the config files by hand because SUSE seems to come along later and change them again, occasionally overwriting changes I've made manually. So, I tread in this area carefully when this possibility exists and I know YAST does diddle with the DNS configuration files...so.... Richard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Creighton wrote:
Wolfgang Rosenauer wrote: <snip>
Access to use your DNS server for recursive queries is controlled in your named.conf in section options.
Especially I have for example: allow-query { ::1/128; 127.0.0.1; localnets; }; recursion yes;
Which means that only localhost and "localnets" are allowed to use your DNS server to resolve any fqdn.
Access to your own local zones is granted in the respective zone section where you may want to define: allow-query { any; }; if your hosts should be reachable externally.
Wolfgang
Thank you Wolfgang....now another stupid question for you if you don't mind too much please. I can't see where in the YAST program this can be done .... other perhaps in the sysconfig editor, but if in there, where? If not, I'll head out into 'vi' land but I hate modifying the config files by hand because SUSE seems to come along later and change them again, occasionally overwriting changes I've made manually. So, I tread in this area carefully when this possibility exists and I know YAST does diddle with the DNS configuration files...so....
Richard
Well you are doing better than I am :-) YaST does not even report on my configured zones but I suspect this is because I am using a view based setup. But I do not use YaST for administering either my DNS (or samba) configuration anyway so it is not a major issue for me. As far as I can work out there is no setting for this in YaST. If you are looking for a GUI webmin might be worth looking at, it does include a DNS management module. However, if you have a wireless network I would make certain that the intrusion was external in origin and that your wireless security has not been compromised in some way. Just because the query apparently comes from an external address does not in itself mean that the connection is external. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGozvCasN0sSnLmgIRAr7JAJ0VtCM86z3lgg2lTWQWXvM78zecLQCdHUuY 9gqSHvnV9AIVX6AWWezIPww= =wEKK -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote: <snip>
If you are looking for a GUI webmin might be worth looking at, it does include a DNS management module.
I'll look into that. I wanted to keep SUSE 'virgin' where possible because it helps when upgrading versions change. Ancillary support programs sometimes stop working due to library version/directory structure changes, etc., and until the ancillary programs get upgraded, sometimes you lose your tools unless you can roll your own in the case your tools author no longer supports it.
However, if you have a wireless network I would make certain that the intrusion was external in origin and that your wireless security has not been compromised in some way. Just because the query apparently comes from an external address does not in itself mean that the connection is external.
In this case, no wireless. I have been fighting ssh worms (found a good solution for that one thankfully) and in noticing the logs, found the DNS entries which prompted my questions and when I couldn't locate either the answer or the method on my own, I turned to opensuse-users where there is a wealth of knowledge and experience. Thanks Richard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Richard Creighton wrote:
G T Smith wrote: <snip>
If you are looking for a GUI webmin might be worth looking at, it does include a DNS management module.
I'll look into that. I wanted to keep SUSE 'virgin' where possible because it helps when upgrading versions change. Ancillary support programs sometimes stop working due to library version/directory structure changes, etc., and until the ancillary programs get upgraded, sometimes you lose your tools unless you can roll your own in the case your tools author no longer supports it.
Webmin is very good in that regard - I've been using it for more than 10 years, and it has worked on solaris, aix, and various flavors of linux without a hitch. It also understands zones. Yast can modify some files, e.g. /etc/named.conf.include, but the trick is to cooperate with it - and I've never seen yast change a zone file or named.conf. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Richard Creighton wrote:
Thank you Wolfgang....now another stupid question for you if you don't mind too much please. I can't see where in the YAST program this can be done .... other perhaps in the sysconfig editor, but if in there, where? If not, I'll head out into 'vi' land but I hate modifying the config files by hand because SUSE seems to come along later and change them again, occasionally overwriting changes I've made manually. So, I tread in this area carefully when this possibility exists and I know YAST does diddle with the DNS configuration files...so....
Which SUSE flavour/version do you use? I don't know for sure if YaST2 on 10.2 is able to do it but I think so. I didn't use yast2-dns-server on 10.2 yet and maybe you have to add new options yourself if there is no preconfigured setting. I also think that YaST shouldn't overwrite your manual settings and I would consider it a bug if it does. I've just tested on SLES9 and the YaST module provides everything needed there. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Rosenauer wrote:
Richard Creighton wrote:
Thank you Wolfgang....now another stupid question for you if you don't mind too much please. I can't see where in the YAST program this can be done .... other perhaps in the sysconfig editor, but if in there, where? If not, I'll head out into 'vi' land but I hate modifying the config files by hand because SUSE seems to come along later and change them again, occasionally overwriting changes I've made manually. So, I tread in this area carefully when this possibility exists and I know YAST does diddle with the DNS configuration files...so....
Which SUSE flavour/version do you use? I don't know for sure if YaST2 on 10.2 is able to do it but I think so. I didn't use yast2-dns-server on 10.2 yet and maybe you have to add new options yourself if there is no preconfigured setting.
I also think that YaST shouldn't overwrite your manual settings and I would consider it a bug if it does.
I've just tested on SLES9 and the YaST module provides everything needed there.
Wolfgang
I use 10.2 and 10.3a5 (I would use 10.3a6 but it destroyed my machine so I had to reinstall completely (GRUB Error)). I have never seen the part about forwarding just to my own network...I'll look again because I'm probably blind :) Thanks Richard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
G T Smith -
joe -
Richard Creighton -
Richard Creighton -
Wolfgang Rosenauer