JP Vossen on 28 Jan 2009 12:13:44 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] named: client *: query (cache) './NS/IN' denied

In early January I started periodically getting tons of BIND9 log 
messages like this on my Co-Lo'ed personal mail/web/DNS server:
    named[32594]: client query (cache) './NS/IN' denied

I'm reasonably sure that this is part of a DDoS attack against some 
other random servers on the 'Net [1].  As you can see, my server is 
denying the request so to some extent it's not a problem.  But it is 
cluttering up my logs, and generating large LogCheck emails to me.

So I've been blackholing them via a "bogusnets" BIND ACL, but that is 
getting tedious.  I'm thinking about stopping doing that and simply 
adding an ignore rule to my LogCheck so it stops spamming me about it.

Anyone have any better ideas?  (Aside from, "ditch BIND and switch to 
DJBDNS like I told you, dumbass." (Thanks Michale :))

I'm also mildly curious as to why I've never seen these messages before 
January.  I guess I could have done an update around then and gotten a 
new BIND or something.  I'm sure that attack isn't new, but I did most 
to that new co-lo around 2008-12-18, so maybe it took a little while for 
the server to be found?  I dunno...


[1] DNS DDoS: Spoof UDP packets to lots and lots of name servers so they 
look like (recursive) requests from the DDoS victim.  The name servers 
reply and swamp the victim.

JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --