通过我的日志,我刚刚意识到我的服务器的某些部分可能会受到损害,虽然不是Bind 9的专家,但我不确定要纠正什么以防止这种情况:
Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'www.gamasutra.com/A/IN': 2001:4800:7814:0:5008:8553:ff04:b151#53 Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'www.kitchenworksinc.com/A/IN': 2607:f208:302::2d#53 Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'gyogynovenyek-gyogyteak.com/A/IN': 2607:f0d0:1101:16f::6#53 Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'www.kitchenworksinc.com/AAAA/IN': 2607:f208:302::2d#53 Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'www.kitchenworksinc.com/A/IN': 2607:f208:206::2d#53 Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'www.kitchenworksinc.com/AAAA/IN': 2607:f208:206::2d#53 Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving 'gyogynovenyek-gyogyteak.com/AAAA/IN': 2607:f0d0:1101:16f::6#53 Oct 24 14:16:51 ip151 named[54864]: validating @0x7f4e1405ce60: www.gamasutra.com A: no valid signature found Oct 24 14:16:51 ip151 named[54864]: validating @0x7f4e1c5befc0: gamasutra.com SOA: no valid signature found Oct 24 14:16:51 ip151 named[54864]: validating @0x7f4e2008e200: www.gamasutra.com NSEC: no valid signature found Oct 24 14:16:54 ip151 named[54864]: error (network unreachable) resolving 'www.utrinski.mk/A/IN': 2001:678:1::2#53 Oct 24 14:16:54 ip151 named[54864]: error (network unreachable) resolving 'www.utrinski.mk/AAAA/IN': 2001:678:1::2#53 Oct 24 14:16:54 ip151 named[54864]: error (network unreachable) resolving 'www.utrinski.mk/A/IN': 2001:628:453:bb::4#53 Oct 24 14:16:54 ip151 named[54864]: error (network unreachable) resolving 'www.utrinski.mk/AAAA/IN': 2001:628:453:bb::4#53 Oct 24 14:16:54 ip151 named[54864]: error (connection refused) resolving 'www.utrinski.mk/A/IN': 194.149.137.168#53 Oct 24 14:16:54 ip151 named[54864]: error (connection refused) resolving 'www.utrinski.mk/AAAA/IN': 194.149.137.168#53 Oct 24 14:16:59 ip151 named[54864]: validating @0x7f4e241324c0: www.biblioteksforeningen.org AAAA: no valid signature found Oct 24 14:16:59 ip151 named[54864]: validating @0x7f4e0ccf4060: www.biblioteksforeningen.org A: no valid signature found Oct 24 14:16:59 ip151 named[54864]: validating @0x7f4e0ccf4060: biblioteksforeningen.org A: no valid signature found Oct 24 14:17:04 ip151 named[54864]: error (network unreachable) resolving 'dsac.cn/DS/IN': 2001:dc7::1#53
看起来我的服务器是垃圾邮件,其名称解析来自未知的人.如果我理解正确,我需要做的是将我的服务器设置为某种私有.
我很抱歉,如果我没有使用正确的术语,我只是想在它成为我主持的网站的真正问题之前快速解决这个问题.
谢谢
更新1:
-route§的结果是:
Destination Next Hop Flag Met Ref Use If [::]/96 [::] !n 1024 0 0 lo 0.0.0.0/96 [::] !n 1024 0 0 lo 2002:x00::/24 [::] !n 1024 0 0 lo 2002:xf00::/24 [::] !n 1024 0 0 lo 2002:x9fe::/32 [::] !n 1024 0 0 lo 2002:xc10::/28 [::] !n 1024 0 0 lo 2002:x0a8::/32 [::] !n 1024 0 0 lo 2002:x000::/19 [::] !n 1024 0 0 lo 3ffe:xfff::/32 [::] !n 1024 0 0 lo [::]/0 [::] !n -1 113233992 lo localhost/128 [::] Un 0 116069755 lo ipxxx.ip-17x-3x-4x.eu/128 [::] Un 0 1 14444 lo ff00::/8 [::] U 256 0 0 ens18 [::]/0 [::] !n -1 113233992 lo
更新2
我只是通过以下更改修改了named.conf文件(文件中清楚地解释了所有内容,我应该首先看一下)
options {
listen-on port 53 {
any;
};
// listen-on-v6 port 53 {
// any;
// };
我评论了最后3行,因为我在我的网站上没有处理任何IP V6.
还修改了从yes到no的那一行:
`/*
- If you are building an AUTHORITATIVE DNS server,do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server,you need to enable
recursion.
- If your recursive DNS server has a public IP address,you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/`
recursion no;
它似乎不会影响我的任何网站.
结果,我的日志现在看起来像这样:
Oct 24 15:10:57 ip151 named[40819]: client 127.0.0.1#58400 (www.dunyadinleri.com): query (cache) 'www.dunyadinleri.com/AAAA/IN' denied Oct 24 15:10:57 ip151 named[40819]: client 127.0.0.1#58400 (www.dunyadinleri.com): query (cache) 'www.dunyadinleri.com/A/IN' denied Oct 24 15:10:57 ip151 named[40819]: client 127.0.0.1#17750 (ujquery.org): query (cache) 'ujquery.org/A/IN' denied Oct 24 15:10:57 ip151 named[40819]: client 127.0.0.1#17750 (ujquery.org): query (cache) 'ujquery.org/AAAA/IN' denied Oct 24 15:10:57 ip151 named[40819]: client 127.0.0.1#58400 (adsl.aruba.it): query (cache) 'adsl.aruba.it/A/IN' denied Oct 24 15:10:57 ip151 named[40819]: client 127.0.0.1#58400 (adsl.aruba.it): query (cache) 'adsl.aruba.it/AAAA/IN' denied Oct 24 15:10:57 ip151 named[40819]: client 127.0.0.1#58400 (www.microscopy-uk.org.uk): query (cache) 'www.microscopy-uk.org.uk/A/IN' denied
Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving ‘www.gamasutra.com/A/IN’: 2001:4800:7814:0:5008:8553:ff04:b151#53
Oct 24 14:16:50 ip151 named[54864]: error (network unreachable) resolving ‘www.kitchenworksinc.com/A/IN’: 2607:f208:302::2d#53
嗯,我看到只有来自IPv6源地址的请求才会发生.所以我认为您的服务器正在侦听IPv6地址的请求,但无法访问或发送回复(网络无法访问).而且我很确定它可能由于缺少默认网关或默认路由而发生.
所以检查以下内容,运行:
route -6
你应该看到类似的东西
::/0 2001:xxxx:xxxx:196::1 UG 1024 8 874 eth0
如果没有:: / 0路由,则这是问题(缺少默认路由),因此无法发送对IPv6查询的回复.
更新:
06002
好吧,正如我所说,没有默认路线,因此他们能够联系到你,但你不是.再次,如果您不希望这些查询到来,您有三个选项
>在ip6tables中阻止53端口
>在接口上禁用ipv6地址
>从界面中删除ipv6地址
选择任何一个选项套件(正如您所说的运行Web服务器而不是DNS),否则您的系统将非常容易受到攻击!
