CentOS 7 generating Unknown DNS Requests

Issues related to configuring your network
Post Reply
srijit92
Posts: 14
Joined: 2015/12/17 11:48:56

CentOS 7 generating Unknown DNS Requests

Post by srijit92 » 2021/04/28 16:58:58

Hi,

I have a freshly installed CentOS Server with bind installed as caching only DNS Server where only a specific IP Pool is whitelisted for query. But in DNS Query log I see unknown request generated from the server itself (127.0.0.1) as shown below. What could be the issue? Is the server hacked?

28-Apr-2021 22:05:35.315 client @0x7f38ac0d4090 127.0.0.1#49562 (187-60-173-142.linharesonline.com.br): query: 187-60-173-142.linharesonline.com.br IN A + (127.0.0.1)
28-Apr-2021 22:05:35.315 client @0x7f38ac0e2830 127.0.0.1#49562 (187-60-173-142.linharesonline.com.br): query: 187-60-173-142.linharesonline.com.br IN AAAA + (127.0.0.1)
28-Apr-2021 22:05:45.884 client @0x7f38ac0e2830 127.0.0.1#58216 (142.173.60.187.in-addr.arpa): query: 142.173.60.187.in-addr.arpa IN PTR + (127.0.0.1)
28-Apr-2021 22:05:45.885 client @0x7f38ac0e2830 127.0.0.1#56838 (187-60-173-142.linharesonline.com.br): query: 187-60-173-142.linharesonline.com.br IN A + (127.0.0.1)
28-Apr-2021 22:05:46.283 client @0x7f38ac0e2830 127.0.0.1#43031 (187-60-173-142.linharesonline.com.br): query: 187-60-173-142.linharesonline.com.br IN A + (127.0.0.1)
28-Apr-2021 22:05:46.283 client @0x7f38ac0d4090 127.0.0.1#43031 (187-60-173-142.linharesonline.com.br): query: 187-60-173-142.linharesonline.com.br IN AAAA + (127.0.0.1)

28-Apr-2021 22:24:41.183 client @0x7f44c4001180 127.0.0.1#49447 (194.22.218.189.in-addr.arpa): query: 194.22.218.189.in-addr.arpa IN PTR + (127.0.0.1)
28-Apr-2021 22:24:41.184 client @0x7f44c4001180 127.0.0.1#58857 (cablelink-189-218-22-194.hosts.intercable.net): query: cablelink-189-218-22-194.hosts.intercable.net IN A + (127.0.0.1)
28-Apr-2021 22:24:41.721 client @0x7f44c4001180 127.0.0.1#44639 (cablelink-189-218-22-194.hosts.intercable.net): query: cablelink-189-218-22-194.hosts.intercable.net IN A + (127.0.0.1)
28-Apr-2021 22:24:41.721 client @0x7f44dc0e2830 127.0.0.1#44639 (cablelink-189-218-22-194.hosts.intercable.net): query: cablelink-189-218-22-194.hosts.intercable.net IN AAAA + (127.0.0.1)
28-Apr-2021 22:25:05.757 client @0x7f44dc0e2830 127.0.0.1#46586 (194.22.218.189.in-addr.arpa): query: 194.22.218.189.in-addr.arpa IN PTR + (127.0.0.1)
28-Apr-2021 22:25:05.758 client @0x7f44dc0e2830 127.0.0.1#48007 (cablelink-189-218-22-194.hosts.intercable.net): query: cablelink-189-218-22-194.hosts.intercable.net IN A + (127.0.0.1)

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS 7 generating Unknown DNS Requests

Post by TrevorH » 2021/04/28 17:18:07

No idea whether it's hacked or not but when you do a lookup for a name that is not known by your dns server it has to go out to the root servers to look up there to find out the address of the DNS server that is authoritative for the name you're looking up and then go to that server to look up the name.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

srijit92
Posts: 14
Joined: 2015/12/17 11:48:56

Re: CentOS 7 generating Unknown DNS Requests

Post by srijit92 » 2021/04/28 17:42:45

Yes, I know. But the request is getting generated from the server itself where there is no actual activity on the server. Only one external client is using the DNS server.

How come server is itself generating the requests and that to unknows IPs.

silvio
Posts: 67
Joined: 2008/11/10 13:06:03

Re: CentOS 7 generating Unknown DNS Requests

Post by silvio » 2021/04/30 11:25:36

Hi srijit92,

is this system reachable over the internet?
Do you use some services which does a dns lookup if someone connects?
My first thinking was an dns lookup for a ssh connection so i would have a look in my secure log.

Silvio

Post Reply