[PLUG] named: client *: query (cache) './NS/IN' denied

JP Vossen on 28 Jan 2009 12:13:44 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] named: client *: query (cache) './NS/IN' denied

From: JP Vossen <jp@jpsdomain.org>

To: plug@lists.phillylinux.org

Subject: [PLUG] named: client *: query (cache) './NS/IN' denied

Date: Wed, 28 Jan 2009 15:13:25 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Thunderbird 2.0.0.19 (Windows/20081209)

In early January I started periodically getting tons of BIND9 log messages like this on my Co-Lo'ed personal mail/web/DNS server: named[32594]: client 70.86.80.98#7593: query (cache) './NS/IN' denied I'm reasonably sure that this is part of a DDoS attack against some other random servers on the 'Net [1]. As you can see, my server is denying the request so to some extent it's not a problem. But it is cluttering up my logs, and generating large LogCheck emails to me. So I've been blackholing them via a "bogusnets" BIND ACL, but that is getting tedious. I'm thinking about stopping doing that and simply adding an ignore rule to my LogCheck so it stops spamming me about it. Anyone have any better ideas? (Aside from, "ditch BIND and switch to DJBDNS like I told you, dumbass." (Thanks Michale :)) I'm also mildly curious as to why I've never seen these messages before January. I guess I could have done an update around then and gotten a new BIND or something. I'm sure that attack isn't new, but I did most to that new co-lo around 2008-12-18, so maybe it took a little while for the server to be found? I dunno... Thanks, JP [1] DNS DDoS: Spoof UDP packets to lots and lots of name servers so they look like (recursive) requests from the DDoS victim. The name servers reply and swamp the victim. ----------------------------|:::======|------------------------------- JP Vossen, CISSP |:::======| http://bashcookbook.com/ My Account, My Opinions |=========| http://www.jpsdomain.org/ ----------------------------|=========|------------------------------- "Microsoft Tax" = the additional hardware & yearly fees for the add-on software required to protect Windows from its own poorly designed and implemented self, while the overhead incidentally flattens Moore's Law. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Prev by Date: Re: [PLUG] Silly routing question

Next by Date: [PLUG] OT: Javascript question

Previous by thread: Re: [PLUG] Silly routing question

Next by thread: [PLUG] OT: Javascript question

Index(es):

Date

Thread