Three NameServer DOSing my <dns1>

Michelle Konzack linux4michelle at tamay-dogan.net
Wed Jul 28 09:53:23 UTC 2010 

Hello Experts,

my primary NameServer <dns1.tamay-dogan.net> is hit by more then 600.000
requests per day coming mainly from three NameServers:

----[ '/var/log/named.log' ]--------------------------------------------
Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.318 security: info: client 194.25.2.173#34455: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.568 security: info: client 145.253.2.7#39557: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.747 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.033 security: info: client 145.253.2.7#42608: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.229 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.341 security: info: client 194.25.2.173#51045: query 'michelle1.private.tamay-dogan.net/MX/IN' denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.596 security: info: client 145.253.2.7#38208: query 'michelle1.private.tamay-dogan.net/MX/IN' denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.792 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/MX/IN' denied
Jul 28 11:18:19 samba3 named[26425]: 28-Jul-2010 11:18:19.081 security: info: client 145.253.2.7#52958: query 'michelle1.private.tamay-dogan.net/MX/IN' denied
Jul 28 11:18:19 samba3 named[26425]: 28-Jul-2010 11:18:19.284 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/MX/IN' denied
------------------------------------------------------------------------

----[ STDIN ]-----------------------------------------------------------
[michelle.konzack at michelle1:~] host 194.25.2.173
173.2.25.194.in-addr.arpa domain name pointer dns42.btx.dtag.de.
[michelle.konzack at michelle1:~] host 145.253.2.7
Host 7.2.253.145.in-addr.arpa. not found: 3(NXDOMAIN)
[michelle.konzack at michelle1:~] host 79.242.61.7
7.61.242.79.in-addr.arpa domain name pointer p4FF23D07.dip.t-dialin.net.
[michelle.konzack at michelle1:~] dig -x 145.253.2.7

; <<>> DiG 9.5.1-P3 <<>> -x 145.253.2.7
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36189
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;7.2.253.145.in-addr.arpa.      IN      PTR

;; AUTHORITY SECTION:
253.145.in-addr.arpa.   6161    IN      SOA     ns1.arcor-ip.de. hostmaster.adm.arcor.net. 2010072800 28800 14400 1814400 7200

;; Query time: 1 msec
;; SERVER: 192.168.0.74#53(192.168.0.74)
;; WHEN: Wed Jul 28 11:38:01 2010
;; MSG SIZE  rcvd: 117

------------------------------------------------------------------------

the NX one is from Arcor.  Since the Deutsche Telecom is NOT  responsive
to ANY of my requests and you can not even reach them  by  Telephone,  I
need to do something because this 32 MByte traffic per day is absolutely
useless.

Any suggestions?

<yandex.ru> has respond for an half hour to my reqests after 3 weeks  or
such and told me they are querying my DNS because there is a link in  my
website...  but I have found nothing.

However, they want to connect to my ancien Laptop <tp570> and  my  Work-
station <michelle1> from which I write this message... Both machines are
in my Intranet and will never allow access from the world.

Thanks, Greetings and nice Day/Evening
    Michelle Konzack

-- 
##################### Debian GNU/Linux Consultant ######################
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems at tdnet France EURL       itsystems at tdnet UG (limited liability)
Owner Michelle Konzack            Owner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz                 Kinzigstraße 17
67100 Strasbourg/France           77694 Kehl/Germany
Tel: +33-6-61925193 mobil         Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

<http://www.itsystems.tamay-dogan.net/>  <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/>         <http://www.can4linux.org/>

Jabber linux4michelle at jabber.ccc.de
ICQ    #328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.pgp
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100728/a72eb8f3/attachment.bin>

More information about the bind-users mailing list