Server does not receive request - named issue?

Question

We've been under ddos attack today and it all started there.

Here's our setup:

We use CloudFlare as a DNS service (no caching, just pointing to our server ip, so this is 8)
We have an anti-ddos hosting that acts as a reverse-proxy.
Apache 2.2

An attempt to load the website by domain name fails with nginx's 504 Timeout. I'm 100% sure that this message comes from our hoster's reverse proxy, and the support staff confirmed that and said they had messages like this in the logs:

2016/08/29 14:47:34 [error] 3658#0: *51642375 upstream timed out (110: Connection timed out) while connecting to upstream, client: 11.111.11.111, server: , request: "GET / HTTP/1.1", upstream: "http://12.34.56.78:80/";, host: "domain-name.com"

And here's what happens:

A direct request by ip works perfectly, so 12.34.56.78:8080 loads the site.
lynx domain-name.com loads the site when executed from the server itself
I tried laucnhing a php built-in server listening to domain name, but it didn't work from outside
I tried restarting some services (including named) and rebooting the entire system
I used this (iptables -P INPUT ACCEPT) to allow all incoming traffic

Nothing interesting in logs but the /var/log/messages has this:

Aug 29 17:54:06 client3738 named[22407]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/AAAA/IN': 2001:500:19::1#53
Aug 29 17:54:06 client3738 named[22407]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/A/IN': 2001:500:19::1#53
Aug 29 17:54:06 client3738 named[22407]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/A/IN': 2a01:8840:6::1#53
Aug 29 17:54:06 client3738 named[22407]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/AAAA/IN': 2a01:8840:6::1#53
Aug 29 17:54:08 client3738 named[22407]: error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:4f8:0:2::19#53
Aug 29 17:54:08 client3738 named[22407]: error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:500:2c::254#53
Aug 29 17:56:33 client3738 rsyslogd-2177: imuxsock begins to drop messages from pid 1900 due to rate-limiting
Aug 29 17:56:41 client3738 rsyslogd-2177: imuxsock lost 1098 messages from pid 1900 due to rate-limiting
Aug 29 18:01:33 client3738 rsyslogd-2177: imuxsock begins to drop messages from pid 1900 due to rate-limiting
Aug 29 18:01:40 client3738 rsyslogd-2177: imuxsock lost 1091 messages from pid 1900 due to rate-limiting

PID 1900 is qmgr -l -t fifo -u.

Well, and the question is: what to do?

Thanks in advance!

score 1 · Accepted Answer · answered Aug 29 '16 at 15:27

1

So everything works great until you use your providers proxy? Then let your provider deal with it. There could be nothing wrong with your server. This sounds like a provider and you issue.

Where's the info about the ddos attack?

Find out what qmgr is and what it's reporting to syslog. I'm pretty sure it's Postfix, so check your mail log.

answered Aug 29 '16 at 15:27

Ryan Babchishin

6,260
2
17
37

Thank toy for your answer, Ryan! I'm now having kinda a blame-game with support (they insist the problem is on our side, but it looks like it's theirs: they said the reverse proxy works only for 80 and 443 ports and only on those ports nothing's working) – Alexander Mikhalchenko Aug 29 '16 at 16:13
@strrife And you have no way to prove or test it, because it's a hosted server... pfft... – Ryan Babchishin Aug 29 '16 at 16:31
The funny thing is that the hosting is anything but cheap lol – Alexander Mikhalchenko Aug 29 '16 at 18:54

Server does not receive request - named issue?

1 Answers1