Three NameServer DOSing my <dns1>
Dave Sparro
dsparro at gmail.com
Wed Jul 28 14:11:52 UTC 2010
On 7/28/2010 5:53 AM, Michelle Konzack wrote:
> Hello Experts,
>
> my primary NameServer<dns1.tamay-dogan.net> is hit by more then 600.000
> requests per day coming mainly from three NameServers:
>
> ----[ '/var/log/named.log' ]--------------------------------------------
> Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.318 security: info: client 194.25.2.173#34455: query 'michelle1.private.tamay-dogan.net/A/IN' denied
> Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.568 security: info: client 145.253.2.7#39557: query 'michelle1.private.tamay-dogan.net/A/IN' denied
> Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.747 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/A/IN' denied
> Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.033 security: info: client 145.253.2.7#42608: query 'michelle1.private.tamay-dogan.net/A/IN' denied
> Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.229 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/A/IN' denied
> Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.341 security: info: client 194.25.2.173#51045: query 'michelle1.private.tamay-dogan.net/MX/IN' denied
> Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.596 security: info: client 145.253.2.7#38208: query 'michelle1.private.tamay-dogan.net/MX/IN' denied
> Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.792 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/MX/IN' denied
> Jul 28 11:18:19 samba3 named[26425]: 28-Jul-2010 11:18:19.081 security: info: client 145.253.2.7#52958: query 'michelle1.private.tamay-dogan.net/MX/IN' denied
> Jul 28 11:18:19 samba3 named[26425]: 28-Jul-2010 11:18:19.284 security: info: client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/MX/IN' denied
> ------------------------------------------------------------------------
>
That host name does show up in your e-mail headers. That may
be why there are some people curious about that host name.
If the repeat traffic really bothers you, I'd bet that you could
get them to go away by giving a better answer than "REFUSED"
to their query. If you want to keep your private.tamay-dogan.net
zone private, you could use views to keep the zone from existing
for the Internet side of your connection.
I'd even be tempted to ditch the allow-query ACL so that they could get
the michelle1.private.tamay-dogan.net/A/IN == 192.168.0.65 answer (at
least temporarily).
I'd be even more tempted to ignore the noise in your log file. BIND is
just letting you know it is doing exactly what you configured it to do.
--
Dave
More information about the bind-users
mailing list