Stopping ddos

Tue Aug 2 20:02:58 UTC 2022

Recently I have been having problems with my server not responding to my 
requests.  I thought it was all sorts of issues, but I finally looked at 
the logs and:

Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205 
(.): view external: query (cache) './A/IN' denied
Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 
114.29.216.196#64956 (.): view external: query (cache) './A/IN' denied
Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 64.68.114.141#39466 
(.): view external: query (cache) './A/IN' denied
Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 
209.197.198.45#13280 (.): view external: query (cache) './A/IN' denied
Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 
114.29.202.117#41955 (.): view external: query (cache) './A/IN' denied
Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 62.109.204.22#4406 
(.): view external: query (cache) './A/IN' denied
Aug  2 15:47:49 onlo named[6155]: client @0xa9420720 64.68.104.9#38518 
(.): view external: query (cache) './A/IN' denied
Aug  2 15:47:50 onlo named[6155]: client @0xaa882dc8 114.29.202.117#9584 
(.): view external: query (cache) './A/IN' denied

grep -c denied messages
45868

And that is just since Jul 31 3am.

This is fairly recent so I never looked into what I might do to protect 
against this.  I am the master for my domain, so I do need to allow for 
legitimate queries.

Any best practices on this?

I am running bind 9.11.4

thanks