client ... query (cache) './NS/IN' denied:
shashaness at hotmail.com
Fri Aug 19 20:07:53 UTC 2011
That is why I have been posting the IP address. I now block 3980 IP address from our NS servers. Most of them attempt to ssh to our www server and fail, when they do that, I block the IP. Some the same IP's must have been running the DoS since they are no longer able to do so on NS1. I have replicated the block list to NS2 to see, I should know by tomorrow, if NS2 stops getting them as well.
On a related topic:
Is there anyway to test for poisoning? How can you tell if you are or are not poisoned.
> Date: Fri, 19 Aug 2011 09:33:29 +0800
> Subject: Re: client ... query (cache) './NS/IN' denied:
> From: shorttag at gmail.com
> To: shashaness at hotmail.com
> CC: bind-users at lists.isc.org
> On Fri, Aug 19, 2011 at 3:24 AM, Shawn Bakhtiar <shashaness at hotmail.com> wrote:
> > Hi all,
> > For the first time my primary name server is not reporting any more
> > client XXX.XXX.XXX.XXX query (cache) './NS/IN' denied: 1 Time(s)
> This is a DNS attacking.
> Many DNS Servers are meeting this kind of attack each day here.
> The traffic is huge, once I noticed the traffic to one of my NS host is 1.6G.
> It's a DDoS that will make your DNS can't serve at all.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users