query (cache) denied (revisited)

Bradley Caricofe brad at caricofe.com
Sun Jul 19 14:40:02 UTC 2009


Hello,

Firstly, I know this issue has already been covered in some depth here. I've
spent hours perusing the archives and researching this online, and am still
not sure about what I'm seeing. This weekend, I migrated two old Solaris 5.7
boxes running BIND 9.2, over to two new CentOS systems running BIND 9.6. The
migration was a success, however, right away I began seeing tons of these in
our logs:

19-Jul-2009 10:34:29.635 client 84.235.6.53#1276: query (cache) '
6q6vszqgm.w8n08fo0.taha.com/A/IN' denied
19-Jul-2009 10:34:29.640 client 85.115.125.204#53150: query (cache) '
server41.appriver.com/A/IN' denied
19-Jul-2009 10:34:29.718 client 213.133.115.147#23725: query (cache) '
wwequip.com/AAAA/IN' denied
19-Jul-2009 10:34:29.769 client 121.1.3.66#57014: query (cache) '
asialink.com.ph/MX/IN' denied
19-Jul-2009 10:34:29.889 client 216.250.255.47#4465: RFC 1918 response from
Internet for 87.193.30.172.in-addr.arpa
19-Jul-2009 10:34:29.937 client 156.111.204.136#7736: query (cache) '
www.reuters.nsatc.net/A/IN' denied
19-Jul-2009 10:34:29.975 client 121.1.3.66#13490: query (cache) '
asialink.com.ph/MX/IN' denied
19-Jul-2009 10:34:30.004 client 84.235.6.53#34256: query (cache) '
6q6vszqgm.w8n08fo0.taha.com/A/IN' denied
19-Jul-2009 10:34:30.074 client 65.55.81.4#5693: query (cache) '
mosquera.com.ar/A/IN' denied
19-Jul-2009 10:34:30.124 client 84.235.6.53#2893: query (cache) '
6q6vszqgm.w8n08fo0.taha.com/A/IN' denied
19-Jul-2009 10:34:30.190 client 84.235.6.53#57257: query (cache) '
6q6vszqgm.w8n08fo0.taha.com/A/IN' denied

There are a total of 26000 ip's hitting us daily and causing these queries.
Of these, only a handful are sending a lot of traffic, maybe a few dozen.
The worst sent 37000 queries yesterday. I'm trying to determine if this is
reflector attack behavior or if some of these hosts were successfully using
our servers for DNS in the past. Our server is refusing these queries and I
believe the old servers did so as well.

Is there anything I can do to filter or otherwise reduce these hits? Again,
I'm sorry for rehashing an old subject, but I don't have this figured out.

Thanks,
Brad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090719/bfdd5230/attachment.html>


More information about the bind-users mailing list