一台服务器在 UDP 端口上每月产生超过 600GB 的流量(而 http 端口的流量不到 1GB),因此我运行了 tcpdump 命令,结果发现很多(每秒超过 10 次左右)快速 DNS 相关命令/流量如下所示:
12:34:29.829750 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.829834 IP6 fe80::b9a5:34dd:a661:c8b2.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
12:34:29.829974 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.830523 IP localhost.localdomain.33178 > nscache2.leaseweb.net.domain: 41458+ PTR? 2.b.8.c.1.6.6.a.d.d.4.3.5.a.9.b.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
12:34:29.831602 IP nscache2.leaseweb.net.domain > localhost.localdomain.33178: 41458 NXDomain* 0/1/0 (125)
12:34:29.831624 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.833134 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postlady.ripe.net. 250, MX postgirl.ripe.net. 200, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS tinnie.arin.net., NS sec1.apnic.net., NS ns3.nic.fr., NS sec3.apnic.net., NS sns-pb.isc.org., NS pri.authdns.ripe.net. (3560)
12:34:29.833834 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postgirl.ripe.net. 200, MX postlady.ripe.net. 250, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS ns3.nic.fr., NS sec3.apnic.net., NS pri.authdns.ripe.net., NS tinnie.arin.net., NS sns-pb.isc.org., NS sec1.apnic.net. (3560)
12:34:29.834160 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postlady.ripe.net. 250, MX postgirl.ripe.net. 200, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS pri.authdns.ripe.net., NS ns3.nic.fr., NS sec1.apnic.net., NS tinnie.arin.net., NS sns-pb.isc.org., NS sec3.apnic.net. (3560)
12:34:29.836179 IP 145.97.20.167.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.836879 IP localhost.localdomain.domain > 145.97.20.167.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postgirl.ripe.net. 200, MX postlady.ripe.net. 250, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS tinnie.arin.net., NS pri.authdns.ripe.net., NS sec3.apnic.net., NS sec1.apnic.net., NS sns-pb.isc.org., NS ns3.nic.fr. (3560)
12:34:29.839662 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.839932 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.840673 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.840868 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postlady.ripe.net. 250, MX postgirl.ripe.net. 200, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS sec1.apnic.net., NS pri.authdns.ripe.net., NS sec3.apnic.net., NS sns-pb.isc.org., NS ns3.nic.fr., NS tinnie.arin.net. (3560)
12:34:29.840929 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.844602 IP avo.net.domain > localhost.localdomain.domain: 952+ [1au] ANY? ripe.net. (38)
12:34:29.845102 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postgirl.ripe.net. 200, MX postlady.ripe.net. 250, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS sns-pb.isc.org., NS sec3.apnic.net., NS sec1.apnic.net., NS ns3.nic.fr., NS pri.authdns.ripe.net., NS tinnie.arin.net. (3560)
12:34:29.845343 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postlady.ripe.net. 250, MX postgirl.ripe.net. 200, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS sec1.apnic.net., NS pri.authdns.ripe.net., NS ns3.nic.fr., NS sns-pb.isc.org., NS sec3.apnic.net., NS tinnie.arin.net. (3560)
12:34:29.845549 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postgirl.ripe.net. 200, MX postlady.ripe.net. 250, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS sec3.apnic.net., NS ns3.nic.fr., NS pri.authdns.ripe.net., NS sec1.apnic.net., NS tinnie.arin.net., NS sns-pb.isc.org. (3560)
12:34:29.845804 IP localhost.localdomain.domain > avo.net.domain: 952$ 26/7/13 RRSIG, NSEC, RRSIG, MX postlady.ripe.net. 250, MX postgirl.ripe.net. 200, RRSIG, RRSIG, AAAA 2001:67c:2e8:22::c100:68b, RRSIG, A 193.0.6.139, RRSIG, SOA, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, DS, DS, NS ns3.nic.fr., NS sec1.apnic.net., NS tinnie.arin.net., NS sec3.apnic.net., NS sns-pb.isc.org., NS pri.authdns.ripe.net. (3560)
- 我无法识别像 avo.net.domain/postgirl/postlady 这样的域名,只能识别“leaseweb.net”,leaseweb 是我的托管服务提供商。
- 服务器 IP 是 82.192.75.xxx(如果如上显示)。
我托管了 200 多个域,但我怀疑一些外部用户/服务器正在查询或攻击 DNS 服务,从而导致所有 UDP 流量。
我认为我错误地配置了 named.conf,设置了错误的查询或递归值。该服务器的目的是托管大约 200 个域,它不是专用 DNS,也没有链接到其他外部服务器或服务。
我应该在这个 named.conf 中更改什么?我应该用“localhosts”或“localnets”替换“any”吗?谢谢。
BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.1
options {
// listen-on port 53 { 127.0.0.1; };
listen-on port 53 { any; };
// listen-on-v6 port 53 { ::1; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
allow-query {
any;
};
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
// some includes here that contain zones like this:
zone "coilover.info" IN {
type master;
file "/var/named/named_include/coilover.info";
allow-update { none; };
};
答案1
您为什么要运行 DNS 服务器?我在您的配置中没有看到您实际上在为任何权威区域提供服务。
如果你是服务权威区域,就是要改变
recursion yes;
到
recursion no;
如果您没有从该 DNS 服务器提供任何区域,请将其关闭并使用托管服务提供商提供的 DNS 服务器或公共 DNS 服务器。
如果你真的想要运行自己的递归 DNS 服务器,请使用它allow_query来限制它接受查询的位置。取消注释allow_query { localhost; }并删除您现在拥有的宽阔选项将是一个不错的开始。