What are these entries in the log file - " query: . IN NS +"?
Noel Butler
noel.butler at ausics.net
Mon Jan 26 22:28:22 UTC 2009
On Tue, 2009-01-27 at 07:45, Tony Toews [MVP] wrote:
> Folks
>
> Warning - I know just enough about Bind to be dangerous. Which is why I'm asking.
>
> I just noticed that our small scale Bind server as a lot of the following lines.
>
> 26-Jan-2009 14:28:24.004 client 76.9.16.171#23101: query: . IN NS +
> 26-Jan-2009 14:28:58.254 client 63.217.28.226#28035: query: . IN NS +
> 26-Jan-2009 14:29:00.691 client 63.217.28.226#35549: query: . IN NS +
> 26-Jan-2009 14:29:26.332 client 76.9.16.171#19817: query: . IN NS +
>
> As far as I can tell from the same 5 or 20 IP addresses. I haven't seen these lines
> before.
>
This is not your config, so long as you are not answering thats fine.
It's a forged request asking you to participate in a DDoS thats been
going on since last Wedensday,
it's best if you firewall off your replies to those IP's so you don't
participate in harming the innocent victims.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090127/198db539/attachment.html>
More information about the bind-users
mailing list