User profile for user: Pierre Froelicher1
Pierre Froelicher1 Author
User level: Level 2
178 points

dns attack

We run MLS latest build on a FQDN with and ADSL line with PPOE.

The server is behind a AIRPORT EXTREME.


Since some days we encountered problems with our DNS. The computers seemed to be connected to the internet, however the sites would not open. We complained to our ISP which said that the line is ok.


After much sweat, fiddgeling around, rebooting I finally started reading the logs and activity monitor on the server. The only thing I thought strange was that named as a process sometimes used up to 30% processing power.


I switched of DNS, "for all clients" changed it to "this server only" and the named log started reading:



A/IN' denied

15-Aug-2013 14:29:50.248 client 186.2.166.81#30715: view com.apple.ServerAdmin.DNS.public: query (cache) 'hackwhatlol.cc/A/IN' denied

15-Aug-2013 14:29:50.255 client 186.2.166.81#34065: view com.apple.ServerAdmin.DNS.public: query (cache) 'hackwhatlol.cc/A/IN' denied

15-Aug-2013 14:29:50.263 client 186.2.166.81#35751: view com.apple.ServerAdmin.DNS.public: query (cache) 'hackwhatlol.cc/A/IN' denied

15-Aug-2013 14:29:50.264 client 186.2.166.81#15929: view com.apple.ServerAdmin.DNS.public: query (cache) 'hackwhatlol.cc/A/IN' denied

15-Aug-2013 14:29:50.264 client 186.2.166.81#40769: view com.apple.ServerAdmin.DNS.public: query (cache) 'hackwhatlol.cc/A/IN' denied

15-Aug-2013 14:29:50.264 client 186.2.166.81#15531: view com.apple.ServerAdmin.DNS.public: query (cache) 'hackwhatlol.cc/A/IN' denied

15-Aug-2013 14:29:50.277 client 186.2.166.81#39983: view com.apple.ServerAdmin.DNS.public: query (cache) 'hackwhatlol.cc/A/IN' denied

15-Aug-2013 14:29:50.277 client 186.2.166.81#47197: view com.apple.ServerAdmin.DNS.public: query (cache) 'hackwhatlol.cc/A/IN' denied


This means for me, that somebody at hackwhatlol.cc spent the time to send 100 queries/second to our server, which downed our "poor" server.


After I closed the DNS for external queries the malicious queries stopped after 5 minutes.

Is there anything else I can do?

Shall I close the port on the AEBS router for DNS too?

What a drag!. Can I somehow close this %&*ˆ$((* hackwhatlol.cc site down?

Help appreciated

Pierre

Mac mini Server (Mid 2010), OS X Server

Posted on Aug 15, 2013 10:55 AM

Reply
3 replies
User profile for user: bfdulock
bfdulock
User level: Level 2
220 points

Aug 15, 2013 12:13 PM in response to Pierre Froelicher1

Assuming your DNS service (coming from the Mac server) is strictly for use by internal clients, make sure that port 53 on your firewall (the AirPort Extreme) is not open or being forwarded. This will close off direct access to your DNS server from outside your LAN.


If the problem is coming from inside your LAN, disabling the setting you did above prevents the problem. The better solution is to determine what computer is attacking your server and to remove any malware it might have.



Bryan Dulock

Apple Consultants Network

Houston, TX

Reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
146,401 points

Aug 15, 2013 12:37 PM in response to Pierre Froelicher1

For a network that isn't serving public DNS, the only reason to open the DNS ports through the firewall these days is to allow the DNS server to become part of a DDoS.


What's usually happening is the source IP address of the DNS query is being spoofed (to be the target of the DDoS), and your (open) DNS server is making the (small) IP DNS query into a (larger) DNS server response.


In general, close UDP 53 and TCP 53 at the firewall. Even with these ports blocked, the DNS server can make outbound queries using the normal NAT connection-mapping rules and receive the responses.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

dns attack

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up