Plesk DNS apparently not fully deleting old domains

I just had a peek in my Event Viewer and saw 50,000 events for denied DNS queries related to domain name I deleted from Plesk's control panel ages ago.

Here's an example of what it looks like:

Code:
client xx.xx.xx.xx#22863 (deleteddomain.com): query (cache) 'deleteddomain.com/A/IN' denied
the source of the alerts is C:\Program Files (x86)\Parallels\Plesk\dns\bin\named.exe

1) why isn't Plesk properly deleting and rebuilding the DNS cache?

2) how can I remove the old domain and rebuild the cache manually?
 
1. if the query is denied, that would indicate that Plesk DID delete the entry, but some clients for whatever reason are still querying the sever for authoritative DNS

A deny is a correct log entry for a deleted domain query. Is the domain still existing, is it still pointing to the nameservers/IPs of the VM?

2. You can find all the DNs entries in the /var/etc folder within the plesk then DNS folder, if there is a deleteddomain.com zone file there it hasn't been deleted, if there isn't such a zone file there, it has been deleted and these log entries are just telling you something is still pointing to the server and it's denying the queries.
 
Hmmm, ok. Thanks for shedding some light on this Stephen.

The deleted domain is indeed no longer in the zone file. And the domain no longer exists. It expired and has never been renewed (it was deleted from Plesk over 2 years ago).

I don't know if it matters, but it was actually a secondary domain that was added into Plesk as an alias to redirect to a main domain -- both of which were deleted at the same time. However, the event log entries are only for the deleted alias domain, not the main domain. Do you think there's a reason for this?

Is there anything I can do to stop it from piling up entries in my event log? (perhaps something like a DNS equivalent to an HTTP 410 Gone Status?) It really makes it hard for me to find anything important in there if I have to weed through tens of thousands of entries for this one single non-existent domain name.

Maybe I'm wrong, but you'd think 2 years would be long enough for DNS caches around the world to remove it.
 
Could it be that one of your domains has the domain as an ns.deletedomain.com on the internal records, even if not external, making it loop a bit? I'd recommend going through the advanced view of all your hosted domains to see if there is a reference to NS in that deleted domain, or maybe a mail record or something else like that causing it
 
Hey Stephen, so I went through all the DNS zone tables in Plesk control panel for every domain on the server (didn't take too long as I only have 5 domains active at the moment). Is that what you meant by advanced view? I didn't see the deleted domain anywhere. It also wasn't anywhere on the DNS default template.

I went a step further and did a whole Agent Ransack file search of the entire \Parallels\Plesk\*.* folder for deleteddomain.com and it returned zero results. As a point of comparison, searching the same folder and all the contents of files for an active domain name returns hundreds of results (log files, config files, MYSQL data tables, DNS zone files, MailEnable settings, etc.).

I googled around for "bind dns server query denied" and found something. This person has almost the exact same problem I do, except they mention at the end that they are completely unknown domains appearing in their log files. (I mean, at this point my 'deleteddomain.com' might as well be completely unknown as there hasn't been a trace of it on the server for over 2 years):
https://www.howtoforge.com/community/threads/system-log-full-of-named-denied-queries.65975/

I did notice in the in Plesk's DNS settings that DNS recursion is currently allowed for local requests only. That wouldn't have anything to do with it, would it?
 
One more thing, I noticed in the past few minutes some different event log entries for denied DNS queries. One looked like a completely gibberish domain name, and two others, ipplus360.com and dnsscan.shadowserver.org.

Is that you guys testing it?
 
Hey Stephen, so I went through all the DNS zone tables in Plesk control panel for every domain on the server (didn't take too long as I only have 5 domains active at the moment). Is that what you meant by advanced view? I didn't see the deleted domain anywhere. It also wasn't anywhere on the DNS default template.

I went a step further and did a whole Agent Ransack file search of the entire \Parallels\Plesk\*.* folder for deleteddomain.com and it returned zero results. As a point of comparison, searching the same folder and all the contents of files for an active domain name returns hundreds of results (log files, config files, MYSQL data tables, DNS zone files, MailEnable settings, etc.).

I googled around for "bind dns server query denied" and found something. This person has almost the exact same problem I do, except they mention at the end that they are completely unknown domains appearing in their log files. (I mean, at this point my 'deleteddomain.com' might as well be completely unknown as there hasn't been a trace of it on the server for over 2 years):
https://www.howtoforge.com/community/threads/system-log-full-of-named-denied-queries.65975/

I did notice in the in Plesk's DNS settings that DNS recursion is currently allowed for local requests only. That wouldn't have anything to do with it, would it?
You don't want DNs recursion open for sure, that would mean it would not deny, but reply with a DNS lookup and back out, resulting in a lot of excess traffic not to mention it can be used as a DDOS vector.
.
No we aren't testing anything such as this, these DNS scanners are actually used to find open for recursion servers to use in amplified DDOS attacks
 
So, in your opinion there's no way to prevent Bind DNS from either spamming my event logs with denied DNS queries for invalid domain names, OR banning the IP addresses of the spam/harvester bots making the invalid DNS queries at least a thousand times a day?
 
I'd be lying to say I know exactly what your DNS config looks like but it sounds like it is on BIND from what you've said. I haven't logged into your server. We typically now switch people over to the MSDNS server and it doens't make these logs. however it may be possible (take a backup of the named.conf first) to make it suprress these denied entries by doing something like this:
https://forums.cpanel.net/threads/why-named-logging-query-cache-denied-to-var-log-messages.170302/

It is a cpanel forum but generally the config is very similar for bind if on windows or linux, just paths different.
 
Back
Top