How do I block a specific DNS query (IP address) in a CENT/OS conputer.

This particular computer is sending out a bogus DNS query to our DNS windows 2003 sever. I would like to block the query at the source. How can this be done?
LVL 5
OOsorioAsked:
Who is Participating?
 
giltjrConnect With a Mentor Commented:
To block at the source, find out what program is doing this and stop it or remove it.
0
 
OOsorioAuthor Commented:
I don't know what program is generating this. Is there a way to create a IP table of blocked DNS queries?
0
 
giltjrCommented:
Sure you could, but you do realize that it could not do ANY dns resolution.  Which means it could not find any hosts by name.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
AdraenyseCommented:
Is the "particular" computer within your organization, or is it coming from the Internet?

If it's coming from the Internet, your choices are to firewall that IP address on TCP and UDP inbound destination port 53, or, you can lookup the technical contact information for the IP address through ARIN (http://ws.arin.net/whois/) and attempt to get a resolution from the netblock authority.
0
 
lanboyoConnect With a Mentor Commented:
Put the bogus dns name that it is looking for, into the devices host table, preferably with a loopback address.
0
 
OOsorioAuthor Commented:
The DNS query is coming from a Linux server inside our network. lanboyo is right on the mark.
I can place the IP of the DNS query in ect/hosts
What would it look like with a loopback address?
0
 
giltjrCommented:
You would put:


127.0.0.1 hostname

where hostname is the host name it is trying to find.  This will not stop the queries, it will just stop them from going to your DNS server.  

However, now that the program is getting back a result, it will try and connect to 127.0.0.1 to something.  What you may want to do is put a invalid IP address (say 127.1.1.1) with the hostname and then issue the command:

   netstat -np | grep 127.1.1.1

every now and then. the "p" will give you the pid of the task that is trying to connect to 127.1.1.1, then you can find out what program is issuing the queries and "fix" it.
0
 
OOsorioAuthor Commented:
The query to the DNS server is a IP address so if I understand correctly the entry in etc/hosts would be
127.1.1.1 67.40.182.122
The 67 IP addresss is what the DNS server is receiving not a name perse.
0
 
AdraenyseCommented:
Rather than redirecting the results and still taking in the traffic and trying to deal with it, why not just firewall it and forget about it?

If you have iptables installed:

iptables -A INPUT -p tcp --dport 53 -s 67.40.182.122 -j DROP
iptables -A INPUT -p udp --dport 53 -s 67.40.182.122 -j DROP
service iptables save

... and the traffic is gone. The machine can still send you email, or view websites, it just won't be able to pass you anymore DNS traffic.
0
 
AdraenyseCommented:
In regards to my last comment, I gave you instructions for firewalling with Linux, as the question was zoned for Linux, but you have said you are using Windows 2003 for DNS. I wish you could edit comments on this thing...
0
 
OOsorioAuthor Commented:
Adraenyse my DNS server is a windows server 2003. This specific DNS query is coming from a Linux server and going to windows server. I thought this was made clear.
0
 
AdraenyseCommented:
Yes, you did, I am just dyslexic today, I had the two machines backwards in my head.

You can block the lookup of the host by using the /etc/hosts file, but you need to enter it as the name being looked up, not the result IP

Example
127.0.0.1 name.domain.com

Any request for name.domain.com would be resolved as 127.0.0.1 without querying DNS.

If you want to create a log of the DNS requests leaving from the CentOS machine, you can use this iptables statement to make a log:

iptables -A OUTPUT -p tcp --dport 53 -j LOG
iptables -A OUTPUT -p udp --dport 53 -j LOG

The requests will be placed in /var/log/messages
0
 
OOsorioAuthor Commented:
The query sent is an IP address not a domain name. As mentioned the IP is 67.40.182.122
0
 
giltjrCommented:
That is a reverse lookup, which you can't over ride using a hosts file.

Are you running any server services on that Linux box?

Can you do a netstat -n  to see if that IP address happens to have a connection to it?



0
 
lanboyoCommented:
If you put a host entry for the ip,

67.40.182.122 any_name_you_want

It will likely not do a reverse lookup.

A lot of commands have a -n option to not do the reverse lookup if this is a tcdump or traceroute kind of thing.
0
 
lanboyoCommented:
This IP has a valid reverse lookup though, does the 2003 server not point to the ISPs server for reverse lookups ouside of your assigned space?
0
 
OOsorioAuthor Commented:
Yes it does. This IP has a block so it does not resolve and excessive traffic is created as a result. Several DNS errors. I'm going to try lanboyo's suggestion and let you all know what happens.
Thanks,

05/26/09 16:55:10 IP block 67.40.182.122
Trying 67.40.182.122 at ARIN
Trying 67.40.182 at ARIN

OrgName:    Qwest Communications Corporation
OrgID:      QCC-22
Address:    1801 California Street
City:       Denver
StateProv:  CO
PostalCode: 80202
Country:    US

NetRange:   67.40.0.0 - 67.42.255.255
CIDR:       67.40.0.0/15, 67.42.0.0/16
NetName:    QWEST-INET-116
NetHandle:  NET-67-40-0-0-1
Parent:     NET-67-0-0-0-0
NetType:    Direct Allocation
0
 
lanboyoCommented:
Yes, qwest needs to fix the block, or likely whoever assigned it does.

I assume you are now sending hundreds of dns reqests upstream to an annoyed dns server...
0
 
giltjrCommented:
What makes you think something is wrong?  The IP address is a valid address and it has a valid PTR record and a valid A record.

The question is why is your host doing a reverse lookup on that address?  
0
 
OOsorioAuthor Commented:
That is an issue that I plan to address once I get the query under control.
0
 
giltjrCommented:
I guess the problem I am having is I don't know if a way to prevent a query for a specific name/address.  You can prevent queries from occurring totally, but you can't say "don't allow query for name XXXX" or "don't allow query for address a.b.c.d".

My guess is that  address is attempting to connect to some service on that computer (http, ssh, ftp, smtp, or something else) that is configured to do reverse look-ups.

The only way to "get the query under control" is to find out what is doing it and stop it.  That I am aware of there is no "content filtering" for dns functions.
0
 
OOsorioAuthor Commented:
I haven't tried it yet but maybe this would work because the query would think it got its answer..

lanboyo:If you put a host entry for the ip,
67.40.182.122 any_name_you_want
It will likely not do a reverse lookup.
A lot of commands have a -n option to not do the reverse lookup if this is a tcdump or traceroute kind of thing.
Posted via EE Mobile
0
 
giltjrCommented:
You can try.  At one I didn't think that reverse look-ups used the hosts files, but they might.

Unfortunately the only way to really test it, is to make the change and see if it stops hitting your DNS server.

0
 
lanboyoCommented:
Yes, this entry in /etc/hosts will stop some of the madness.

However, rhe next reverse lookup may start the problem over again.

I have had a similiar problem with a microsoft dns infrastructure, where reverse lookups for ips that are not in the local ad schema are blasted to every registered server in ad that is running dns, and every dns server asks every registered dns server.. And so on.

If your external server has cached an nxerror for this reverse lookup, then you will get used to seeing this problem. My org was disconnected from a shared dns structure for exactly this problem.

Since the originator is a linux box perhaps you can tweak the resolve.conf file to look directly to the external dns server for addresses not used internally. Apps that do a surprisingly large number of reverse lookups are tcpdump, snort and ethereal, even when they are reading old capture files.

Also traceroute and mtr.

0
 
OOsorioAuthor Commented:
I appreciate the effort but did not get a solution. Thanks all.
0
 
lanboyoCommented:
It has been a while. Did the host entry not help? I suppose the issue is that the linux box is doing a reverse lookup on an IP address.

Some linux apps will not trust the listing in the host table.

You may need to set up a dns server on the linux box and put the servers own address in the dns search order.


I recommend dnsmasq, very lightweight, and it will serve the local addresses out of /etc/hosts .

http://dag.wieers.com/rpm/packages/dnsmasq/


I was able to get it working....

administrator@mail:/etc/init.d$ dig -x 67.40.182.122

; <<>> DiG 9.4.2-P2 <<>> -x 67.40.182.122
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27955
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;122.182.40.67.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
122.182.40.67.in-addr.arpa. 0   IN      PTR     any_name_you_want.


Do we know what app is doing the reverse lookup? That may be the key.



0
 
giltjrCommented:
I had to go back and re-read to try and remember what the issue is.  

--> "This particular computer is sending out a bogus DNS query to our DNS windows 2003 sever. I would like to block the query at the source. How can this be done?"

Basic answer, you can't.

From the posts, the request is not a bogus request, its just a request you would rather not have come to your DNS server.

The solution is to find out what is doing the reverse look-up and stop it from doing it.  You can't stop a reverse lookup request (or a forward lookup) for a specific entry.  

If you can't find out what is doing the look-up, then all you can do attempt to do is change what you return.  Which lanboyo did give you a possible solution: add and entry in your hosts file for the IP address that is attempting to be looked up.  This will not stop the look-up, but it may return a host name other than the real host name and it may return the result faster than if you forward the request to another name server.

I know that some web server report packages do reverse look-ups to do reporting, some ssh servers do reverse look-ups to validate the host name before allowing connections, and some e-mail servers also do reverse look-ups to verify that IP address is associated with the domain name that remote smtp server says it is coming from.  So returning a "bad" host name could cause something else to "break."

0
 
OOsorioAuthor Commented:
The suggestions are very useful.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.