Hi,
recently Virtualmin complained that I needed to add 127.0.0.1 to the BIND Zones.
Since then I've started seeing the following entries in my /var/named/data/named.run
:
13-Jan-2016 14:20:12.442 client 127.0.0.1#24778: query (cache) 'w3.org/NS/IN' denied
13-Jan-2016 14:20:12.442 client 127.0.0.1#24778: query (cache) 'comcast.net/NS/IN' denied
13-Jan-2016 14:20:12.443 client 127.0.0.1#24778: query (cache) 'akamai.com/NS/IN' denied
13-Jan-2016 14:21:03.839 client 127.0.0.1#33857: query (cache) 'cingular.com/NS/IN' denied
13-Jan-2016 14:21:03.839 client 127.0.0.1#33857: query (cache) 'kernel.org/NS/IN' denied
13-Jan-2016 14:21:03.840 client 127.0.0.1#33857: query (cache) 'gmx.net/NS/IN' denied
13-Jan-2016 19:55:38.304 client 127.0.0.1#30860: query (cache) 'sun.com/NS/IN' denied
13-Jan-2016 19:55:38.305 client 127.0.0.1#30860: query (cache) 'w3.org/NS/IN' denied
13-Jan-2016 19:55:38.307 client 127.0.0.1#30860: query (cache) 'mit.edu/NS/IN' denied
I already have the named-refused-udp
and named-refused-tcp
fail2ban jails activated, so I'm not worried about any such entries which originate from an external ip address.
What concerns me is those originating from 127.0.0.1.
Have I been hacked?
Thanks
Hi,
is anyone able to take a look at this?
Thanks
Hi,
can anyone help with this?
Thanks
I'll answer my own question to help anyone else looking. To stop these entries add the following to
/etc/named.conf
allow-query-cache { none; };
recursion no;
additional-from-auth no;
additional-from-cache no;
minimal-responses yes;