A large number of "ANY" query type queries

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Mar 28 08:21:28 UTC 2012


On Wed, Mar 28, 2012 at 04:08:33PM +0800,
 ShanyiWan <wsy at 114.com.cn> wrote 
 a message of 104 lines which said:

> On the DNS server, a large number of "ANY" type queries occur,why? 

Probably the reflection+amplification attack which goes on, specially
in China, for several months. CNCERT knows about it so I suggest you
contact them.

https://lists.dns-oarc.net/pipermail/dns-operations/2011-December/007852.html
http://dyn.com/active-incident-notification-recent-chinanetany-query-floods/

> The same IP address, produced a large number of requests within a
> very short period of time. Can I block these IPs?

You probaably should not. The source IP address is forged, it is the
address of the victim. If you block it, the victim will not be able to
talk to your name servers.



More information about the bind-users mailing list