DNS amplification attacks and DNS cache poisoning "pizzaseo.com RRSIG IN denied"

yaka · July 23, 2021, 9:38am

Hi,
for several days I have logs full of

type or pasjuil. 23 11:22:30 ucs named[9236]: client @0x7f64300d5b00 76.124.192.210#3453 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
juil. 23 11:22:30 ucs named[9236]: client @0x7f64300d5b00 50.91.3.71#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
juil. 23 11:22:32 ucs named[9236]: client @0x7f64300d5b00 50.91.3.71#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
juil. 23 11:22:38 ucs named[9236]: client @0x7f64300d5b00 24.71.26.126#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
juil. 23 11:22:43 ucs named[9236]: client @0x7f64300d5b00 69.249.50.99#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
juil. 23 11:22:43 ucs named[9236]: client @0x7f64300d5b00 71.251.154.137#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
juil. 23 11:22:43 ucs named[9236]: client @0x7f64300d5b00 24.71.26.126#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
juil. 23 11:22:44 ucs named[9236]: client @0x7f64300d5b00 71.251.154.137#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied

here is the status of Bind9

type or paste code heresystemctl status bind9
● bind9.service - BIND Domain Name Server with samba4 backend
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/bind9.service.d
           └─10-configure-backend.conf
   Active: active (running) since Fri 2021-07-23 10:56:01 CEST; 7min ago
     Docs: man:named(8)
  Process: 9237 ExecStartPost=/usr/lib/univention-bind/samba4 wait-for-startup (code=exited, status=0/SUCCESS)
 Main PID: 9236 (named)
    Tasks: 7 (limit: 4915)
   Memory: 38.4M
   CGroup: /system.slice/bind9.service
           └─9236 /usr/sbin/named -c /etc/bind/named.conf.samba4 -f -d 0

juil. 23 11:03:04 ucs named[9236]: client @0x7f64300d5b00 76.124.192.210#27330 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
juil. 23 11:03:07 ucs named[9236]: client @0x7f64300d5b00 69.249.50.99#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
juil. 23 11:03:09 ucs named[9236]: client @0x7f64300d5b00 70.143.122.32#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied

Is it possible to block this?
perhaps by modifying RECURSIVE (caching) ?

/etc/bind/named.conf.proxy:     allow-recursion { localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets; };
/etc/bind/named.conf.samba4:    allow-recursion { localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets; };

maybe my configuration is not right

knebb · July 23, 2021, 11:18am

Hi,

sure your UCS/ bind9 is not directly attached to your public IP?

/KNEBB

yaka · July 23, 2021, 12:20pm

thank you for answering but how can I check it

knebb · July 23, 2021, 12:51pm

Do you want a honest answer or a helpful one?

Honest:
If you do not know if your UCS is visible by public Internet you should shut it down and step back from configuring server services as long as you know what to do!
Helpful:
Do ip a sh. If you see a public IP your UCS is direclty attached. In this case go to 1.

/KNEBB

yaka · July 23, 2021, 1:04pm

I’m sorry I don’t understand English well and I didn’t understand your question.
Of course my server does not have a public IP address (its ip 192.168.0.43) it is connected to a box in router mode.

knebb · July 23, 2021, 1:07pm

Ok:
What does ip a sh say?
What does arp say?
Can you do a port scan on your public IP?

/KNEBB

yaka · July 23, 2021, 1:24pm

for ip a sh

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether c8:1f:66:1f:90:db brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.43/24 brd 192.168.0.255 scope global dynamic enp2s0
       valid_lft 43138sec preferred_lft 43138sec
    inet6 2a01:e0a:31d:5dc0:ca1f:66ff:fe1f:90db/64 scope global dynamic mngtmpaddr 
       valid_lft 86070sec preferred_lft 86070sec
    inet6 fe80::ca1f:66ff:fe1f:90db/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:8e:ec:b3:b4 brd ff:ff:ff:ff:ff:ff
    inet 172.17.42.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:8eff:feec:b3b4/64 scope link 
       valid_lft forever preferred_lft forever
4: br-3c8ac50931f3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:9f:b3:08:ef brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-3c8ac50931f3
       valid_lft forever preferred_lft forever
6: vetha0f314d@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 4a:94:8b:cb:6e:c2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::4894:8bff:fecb:6ec2/64 scope link

for arp

Adresse                  TypeMap AdresseMat          Indicateurs           Iface
192.168.0.1              ether   b8:27:eb:a8:07:bd   C                     enp2s0
192.168.0.4              ether   18:66:da:2e:9b:25   C                     enp2s0
192.168.0.5                      (incomplete)                              enp2s0
172.17.0.1               ether   02:42:ac:11:00:01   C                     docker0
192.168.0.13             ether   9c:4e:36:7d:27:a4   C                     enp2s0
192.168.0.254            ether   70:fc:8f:68:19:48   C                     enp2s0

and nmap

PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
110/tcp  open  pop3
111/tcp  open  rpcbind
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
389/tcp  open  ldap
443/tcp  open  https
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
465/tcp  open  smtps
587/tcp  open  submission
636/tcp  open  ldapssl
749/tcp  open  kerberos-adm
993/tcp  open  imaps
995/tcp  open  pop3s
2049/tcp open  nfs
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5432/tcp open  postgresql
5666/tcp open  nrpe
6669/tcp open  irc
Nmap done: 1 IP address (1 host up) scanned in 59.56 seconds

knebb · July 23, 2021, 3:40pm

Ok, looks pretty good so far, indeed.

If the log really indicates a client with a update request to your UCS it is an issue with your router!

Again, can you do a portsscan of your public IP adress to see which ports are open there? The ports you have posted should be open, but only locally.

Good luck!

[Edit] sometimes DNS servers send additional information to a requesting client (bind in your case). Perhaps you have configured unreliable nameservers? What does ucr dump| grep nameserv say?

/KNEBB

yaka · July 23, 2021, 4:17pm

new portsscan

Port Scanning Results
Port	Type	Status	Service
21	TCP	Filtered	ftp
22	TCP	Open	ssh
23	TCP	Filtered	telnet
25	TCP	Open	smtp
53	TCP	Open	domain
80	TCP	Open	http
110	TCP	Open	pop3
111	TCP	Open	rpcbind
135	TCP	Open	msrpc
139	TCP	Open	netbios-ssn
143	TCP	Open	imap
389	TCP	Open	ldap
443	TCP	Open	https
445	TCP	Open	microsoft-ds
587	TCP	Open	submission
1025	TCP	Filtered	NFS-or-IIS
1080	TCP	Filtered	socks
1433	TCP	Filtered	ms-sql-s
3306	TCP	Filtered	mysql
3389	TCP	Closed	ms-wbt-server
5900	TCP	Filtered	vnc
6001	TCP	Filtered	X11:1
6379	TCP	Filtered	redis
8080	TCP	Filtered	http-proxy

nameserver1: 127.0.0.1
nameserver2: 192.168.0.1
nameserver4: 8.8.8.8

192.168.0.1 is Pihole for block pub
i have restart my freebox

knebb · July 23, 2021, 8:04pm

Well, your UCS seems to be comületely exposed to the internet…this is usually no good.

Check your router/gateway and configure it properly!

Once done, no one can reach your dns any more and your issue is fixed.

/KNEBB

yaka · July 24, 2021, 9:00am

ok thanks for your help, but it’s strange because I’ve been configured like this for years and apart from attempted connections on the ssh port I was spared.
My server is in a DMZ, I will take it out of there and redirect the ports one by one for ssh, http, https, smtp …

yaka · July 24, 2021, 9:32am

after removing my server from the DMZ and redirecting only the ssh, http, https, smtp ports the problem is the same.
Portsscane:

|21|TCP|Filtered|ftp|
|22|TCP|Open|ssh|
|23|TCP|Filtered|telnet|
|25|TCP|Open|smtp|
|53|TCP|Filtered|domain|
|80|TCP|Open|http|
|110|TCP|Filtered|pop3|
|111|TCP|Filtered|rpcbind|
|135|TCP|Filtered|msrpc|
|139|TCP|Filtered|netbios-ssn|
|143|TCP|Filtered|imap|
|389|TCP|Filtered|ldap|
|443|TCP|Open|https|
|445|TCP|Filtered|microsoft-ds|
|587|TCP|Filtered|submission|
|1025|TCP|Filtered|NFS-or-IIS|
|1080|TCP|Filtered|socks|
|1433|TCP|Filtered|ms-sql-s|
|3306|TCP|Filtered|mysql|
|3389|TCP|Filtered|ms-wbt-server|
|5900|TCP|Filtered|vnc|
|6001|TCP|Filtered|X11:1|
|6379|TCP|Filtered|redis|
|8080|TCP|Filtered|http-proxy|

and now

juil. 24 11:18:36 ucs named[1186]: REFUSED unexpected RCODE resolving '62.42.74.36.in-addr.arpa/PTR/IN': 222.124.18.193#53
juil. 24 11:18:37 ucs named[1186]: resolver priming query complete
juil. 24 11:18:38 ucs named[1186]: client @0x7ff8880e3980 197.207.49.249#3658 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
juil. 24 11:18:38 ucs named[1186]: SERVFAIL unexpected RCODE resolving '62.42.74.36.in-addr.arpa/PTR/IN': 202.134.0.62#53
juil. 24 11:18:41 ucs named[1186]: client @0x7ff8880e3980 197.207.49.249#3658 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
juil. 24 11:18:46 ucs named[1186]: client @0x7ff8880d51f0 197.207.49.249#3658 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
juil. 24 11:18:50 ucs named[1186]: REFUSED unexpected RCODE resolving '195.108.69.36.in-addr.arpa/PTR/IN': 222.124.18.193#53
juil. 24 11:18:54 ucs named[1186]: client @0x7ff8880d51f0 197.207.49.249#3658 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
juil. 24 11:18:55 ucs named[1186]: resolver priming query complete
juil. 24 11:18:55 ucs named[1186]: SERVFAIL unexpected RCODE resolving '34.250.110.27.in-addr.arpa/PTR/IN': 58.71.2.4#53
juil. 24 11:18:56 ucs named[1186]: SERVFAIL unexpected RCODE resolving '34.250.110.27.in-addr.arpa/PTR/IN': 58.71.1.34#53

knebb · July 24, 2021, 9:42am

Strange.
Whatever your router configuration is…

At least port 53 (DNS) is now filtered- so this was open. And I assume it should not.

But still looks like your DNS gets these packages.

Now it is getting a little bit more complicated. To see whatever sends to the DNS port which causes bind to show these messages I would you a packet filter. You should be good with tcpdump:
tcpdump -i enp2s0 port 53

It might be a bunch of packages flowing in. You might need to filter them accordingly. You might write the output to a pcap-file and use Wireshark to read it later. Good luck!

/KNEBB

yaka · July 24, 2021, 9:54am

here is an extract

11:46:49.530562 IP 197.207.49.249.3658 > ucs.ldi.intranet.domain: 1+ RRSIG? pizzaseo.com. (30)
11:46:49.530897 IP ucs.ldi.intranet.domain > 197.207.49.249.3658: 1 Refused- 0/0/0 (30)
11:46:49.532008 IP ucs.ldi.intranet.44775 > 192.168.0.1.domain: 23108+ [1au] PTR? 249.49.207.197.in-addr.arpa. (68)
11:46:49.543758 IP 192.168.0.1.domain > ucs.ldi.intranet.44775: 23108 NXDomain| 0/4/1 (510)
11:46:49.544019 IP ucs.ldi.intranet.40205 > 192.168.0.1.domain: Flags [S], seq 1461698952, win 64240, options [mss 1460,sackOK,TS val 2832716115 ecr 0,nop,wscale 7], length 0
11:46:49.544470 IP 192.168.0.1.domain > ucs.ldi.intranet.40205: Flags [S.], seq 1862695353, ack 1461698953, win 65160, options [mss 1460,sackOK,TS val 2634951944 ecr 2832716115,nop,wscale 7], length 0
11:46:49.544519 IP ucs.ldi.intranet.40205 > 192.168.0.1.domain: Flags [.], ack 1, win 502, options [nop,nop,TS val 2832716115 ecr 2634951944], length 0
11:46:49.600367 IP 192.168.0.1.domain > ucs.ldi.intranet.40205: Flags [F.], seq 737, ack 72, win 509, options [nop,nop,TS val 2634952000 ecr 2832716170], length 0
11:46:49.600395 IP ucs.ldi.intranet.40205 > 192.168.0.1.domain: Flags [.], ack 738, win 501, options [nop,nop,TS val 2832716171 ecr 2634952000], length 0
11:46:50.337333 IP 174-084-013-238.res.spectrum.com.9305 > ucs.ldi.intranet.domain: 1+ RRSIG? pizzaseo.com. (30)
11:46:50.337704 IP ucs.ldi.intranet.domain > 174-084-013-238.res.spectrum.com.9305: 1 Refused- 0/0/0 (30)
11:46:50.337983 IP ucs.ldi.intranet.50308 > 192.168.0.1.domain: 29348+ [1au] PTR? 238.13.84.174.in-addr.arpa. (67)
11:46:51.538182 IP ucs.ldi.intranet.59039 > dns9.quad9.net.domain: 58658+ [1au] PTR? 238.13.84.174.in-addr.arpa. (67)
11:46:51.774903 IP dns9.quad9.net.domain > ucs.ldi.intranet.59039: 58658 1/0/1 PTR 174-084-013-238.res.spectrum.com. (101)
11:46:51.776314 IP ucs.ldi.intranet.56061 > 192.168.0.1.domain: 17734+ [1au] PTR? 9.9.9.9.in-addr.arpa. (61)
11:46:51.777798 IP 192.168.0.1.domain > ucs.ldi.intranet.56061: 17734 1/0/1 PTR dns9.quad9.net. (77)
11:46:55.151960 IP 197.207.49.249.3658 > ucs.ldi.intranet.domain: 1+ RRSIG? pizzaseo.com. (30)
11:46:55.152219 IP ucs.ldi.intranet.domain > 197.207.49.249.3658: 1 Refused- 0/0/0 (30)
11:46:59.193873 IP 174-084-013-238.res.spectrum.com.9305 > ucs.ldi.intranet.domain: 1+ RRSIG? pizzaseo.com. (30)
11:46:59.194251 IP ucs.ldi.intranet.domain > 174-084-013-238.res.spectrum.com.9305: 1 Refused- 0/0/0 (30)
11:47:05.904391 IP 197.207.49.249.3658 > ucs.ldi.intranet.domain: 1+ RRSIG? pizzaseo.com. (30)
11:47:05.904771 IP ucs.ldi.intranet.domain > 197.207.49.249.3658: 1 Refused- 0/0/0 (30)
11:47:07.492205 IP 197.207.49.249.3658 > ucs.ldi.intranet.domain: 1+ RRSIG? pizzaseo.com. (30)
11:47:07.492535 IP ucs.ldi.intranet.domain > 197.207.49.249.3658: 1 Refused- 0/0/0 (30)
11:47:09.019776 IP 174-084-013-238.res.spectrum.com.9305 > ucs.ldi.intranet.domain: 1+ RRSIG? pizzaseo.com. (30)
11:47:09.020130 IP ucs.ldi.intranet.domain > 174-084-013-238.res.spectrum.com.9305: 1 Refused- 0/0/0 (30)
11:47:09.942486 IP 197.207.49.249.3658 > ucs.ldi.intranet.domain: 1+ RRSIG? pizzaseo.com. (30)
11:47:09.942857 IP ucs.ldi.intranet.domain > 197.207.49.249.3658: 1 Refused- 0/0/0 (30)
11:47:13.418458 IP 174-084-013-238.res.spectrum.com.9305 > ucs.ldi.intranet.domain: 1+ RRSIG? pizzaseo.com. (30)
11:47:13.418788 IP ucs.ldi.intranet.domain > 174-084-013-238.res.spectrum.com.9305: 1 Refused- 0/0/0 (30)
11:47:16.123811 IP 174-084-013-238.res.spectrum.com.9305 > ucs.ldi.intranet.domain: 1+ RRSIG? pizzaseo.com. (30)

it becomes too complicated for me

knebb · July 24, 2021, 2:15pm

You see the first entry in tcpdump. It is the same IP where the log entry complains about.
It is from Algeria:

Algeria
[...]
AS36947 Telecom Algeria
[...]
197.207.49.249

Now it is your task to figure out why this happens. Might be a misconfiguration from your router. Or your PiHole. Or both.
See pihole related link about pizzaseo.

And they all say the same as I did initially: You have (or had) DNS visible to public. It might be forwarded to UCS or to PiHole. But both is bad. Might be your PiHole forwards it to UCS? I dunno.
There is not much I can do here for you- it is a simple configuration issue. It is not immediately related to UCS. Again: Check 1. in one of my above posts!

/KNEBB

yaka · July 24, 2021, 5:23pm

Since 5 o’clock everything is back to normal.
I can’t explain why.
Pihole is not accessible from the internet.

I will check my Pihole configuration, and add a rule in my Fail2ban configuration.

Anyway, thanks for your patience.