> From time to time I notice a large number of queries like these to one > of my external dns servers: > > 14:14:40.01407 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * > ? <snip> > > Does this rise to the level of a DDoS attack? > No NS record for this IP. > I blackhole IPs that behave like this. > Thanks >
I have the exact same problem with an ip inside State of Colorado General Government Computer subnet : http://whois.arin.net/rest/org/SCGGC Some server there has been pounding queries at me at a rate of 48,000+ a day : # head -1 named.run 08-Oct-2012 17:40:49.733 now using logging configuration from config file # # grep "^08-Oct-2012" named.run | grep -c "165\.127\.10\.50" 12245 # grep "^09-Oct-2012" named.run | grep -c "165\.127\.10\.50" 48200 # grep "^10-Oct-2012" named.run | grep -c "165\.127\.10\.50" 48198 # grep "^11-Oct-2012" named.run | grep -c "165\.127\.10\.50" 47737 # grep "^12-Oct-2012" named.run | grep -c "165\.127\.10\.50" 48345 # grep "^13-Oct-2012" named.run | grep -c "165\.127\.10\.50" 48810 # grep "^14-Oct-2012" named.run | grep -c "165\.127\.10\.50" 48385 # grep "^15-Oct-2012" named.run | grep -c "165\.127\.10\.50" 48429 # grep "^16-Oct-2012" named.run | grep -c "165\.127\.10\.50" 48768 Thus far today : # grep "^17-Oct-2012" named.run | grep -c "165\.127\.10\.50" 37279 Queries show up in bunches, while the average is every 1.7 secs I see dozens of queries all arrive nearly at the same time, then a ten second pause, then again another burst. Makes no sense to me what is going on there. Dennis _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users