Hello, Firstly, I know this issue has already been covered in some depth here. I've spent hours perusing the archives and researching this online, and am still not sure about what I'm seeing. This weekend, I migrated two old Solaris 5.7 boxes running BIND 9.2, over to two new CentOS systems running BIND 9.6. The migration was a success, however, right away I began seeing tons of these in our logs:
19-Jul-2009 10:34:29.635 client 84.235.6.53#1276: query (cache) ' 6q6vszqgm.w8n08fo0.taha.com/A/IN' denied 19-Jul-2009 10:34:29.640 client 85.115.125.204#53150: query (cache) ' server41.appriver.com/A/IN' denied 19-Jul-2009 10:34:29.718 client 213.133.115.147#23725: query (cache) ' wwequip.com/AAAA/IN' denied 19-Jul-2009 10:34:29.769 client 121.1.3.66#57014: query (cache) ' asialink.com.ph/MX/IN' denied 19-Jul-2009 10:34:29.889 client 216.250.255.47#4465: RFC 1918 response from Internet for 87.193.30.172.in-addr.arpa 19-Jul-2009 10:34:29.937 client 156.111.204.136#7736: query (cache) ' www.reuters.nsatc.net/A/IN' denied 19-Jul-2009 10:34:29.975 client 121.1.3.66#13490: query (cache) ' asialink.com.ph/MX/IN' denied 19-Jul-2009 10:34:30.004 client 84.235.6.53#34256: query (cache) ' 6q6vszqgm.w8n08fo0.taha.com/A/IN' denied 19-Jul-2009 10:34:30.074 client 65.55.81.4#5693: query (cache) ' mosquera.com.ar/A/IN' denied 19-Jul-2009 10:34:30.124 client 84.235.6.53#2893: query (cache) ' 6q6vszqgm.w8n08fo0.taha.com/A/IN' denied 19-Jul-2009 10:34:30.190 client 84.235.6.53#57257: query (cache) ' 6q6vszqgm.w8n08fo0.taha.com/A/IN' denied There are a total of 26000 ip's hitting us daily and causing these queries. Of these, only a handful are sending a lot of traffic, maybe a few dozen. The worst sent 37000 queries yesterday. I'm trying to determine if this is reflector attack behavior or if some of these hosts were successfully using our servers for DNS in the past. Our server is refusing these queries and I believe the old servers did so as well. Is there anything I can do to filter or otherwise reduce these hits? Again, I'm sorry for rehashing an old subject, but I don't have this figured out. Thanks, Brad
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users