client ... query (cache) './NS/IN' denied:

Shawn Bakhtiar shashaness at
Fri Aug 19 20:07:53 UTC 2011

I know... 

That is why I have been posting the IP address. I now block 3980 IP address from our NS servers. Most of them attempt to ssh to our www server and fail, when they do that, I block the IP. Some the same IP's must have been running the DoS since they are no longer able to do so on NS1. I have replicated the block list to NS2 to see, I should know by tomorrow, if NS2 stops getting them as well.

On a related topic:
Is there anyway to test for poisoning? How can you tell if you are or are not poisoned. 

> Date: Fri, 19 Aug 2011 09:33:29 +0800
> Subject: Re: client ... query (cache) './NS/IN' denied:
> From: shorttag at
> To: shashaness at
> CC: bind-users at
> On Fri, Aug 19, 2011 at 3:24 AM, Shawn Bakhtiar <shashaness at> wrote:
> >
> > Hi all,
> >
> > For the first time my primary name server is not reporting any more
> >
> > client XXX.XXX.XXX.XXX query (cache) './NS/IN' denied: 1 Time(s)
> >
> This is a DNS attacking.
> Many DNS Servers are meeting this kind of attack each day here.
> The traffic is huge, once I noticed the traffic to one of my NS host is 1.6G.
> It's a DDoS that will make your DNS can't serve at all.
> Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list