I was shocked when i saw the /var/log/messages filled with large number of entries like

“server named[15166]: client [xxxx.xxx]#975: error sending response: host unreachable“.

I was running my own bind DNS server and initially i thought that this has something to do with dos attacks. There were about 100′s of above entries per day originating from few IPs and i was very suspicious about it.

I did check my firewall rules and port 53 was open for both UDP/TCP. So no problem there.

After a long search i found what actually caused this from this CERT article. The reason was somebody doing  was flooding the dns packets with spoofed ips, which comonly known as ‘reflection attack’ where the attacker spoof dns requests with forged IPs. This happens with bind 8.x or prior versions.

To fix this, add this one line in your /etc/named.conf within options.


options {
..
use-id-pool yes
..
}


Also, i would recommend hardening your dns server by disabling zone transfers, notifications and hiding bind version. Follow this article on DNS server hardening.

Hope this helps!

Similar Posts:

• Securing your server against DNS Amplification (DoS) attacks
• How to secure your DNS server
• bind /etc/named.conf missing
• What is Open DNS server?
• Basic Linux Server Security Tutorial
• Whats missing in FIFA 09?
• Troubleshooting Common DNS Misconfiguration Errors
• Sample DNS Zone File for BIND
• Using Dig tool for DNS lookups and Nameserver query
• Accidentally deleted /etc/named.conf in Cpanel