Hi, I'm getting lots of log lines like the following:
Jan 12 04:35:18 30 north named[22233]: client @0x7fe0fc2a3b80 74.74.74.8#24048 (.): view external: query failed (REFUSED) for ./IN/ANY at ../../../bin/named/query.c:7144 Jan 12 04:35:18 30 north named[22233]: client @0x7fe0fc2784d0 74.74.74.8#24048 (.): view external: query failed (REFUSED) for ./IN/ANY at ../../../bin/named/query.c:7144 Jan 12 04:35:27 30 north named[22233]: client @0x7fe0fc2953f0 74.74.74.8#57620 (.): view external: query failed (REFUSED) for ./IN/ANY at ../../../bin/named/query.c:7144 Is that meant to be a DoS attack? Yesterday I got 42639 of those, from 41 different IPs, the most frequent clients looking like so: 821-north:~$ sed -rn 's/^.{15} 30 north named[^:]*: client @0x[0-91-f]* ([0-9.]*)#[0-9]* ...: view external: query failed .REFUSED. for ..IN.ANY at .........bin.named.query.c:7144/\1/p' < /var/log/daemon.log.0 |sort |uniq -c |sort -rn |head 4957 68.42.225.19 2914 73.73.73.73 2868 24.21.125.251 2783 193.70.81.112 2440 73.73.3.73 2273 101.71.138.9 2032 74.74.74.8 1814 98.25.235.45 1785 209.94.134.20 1756 73.109.143.81 I looked up some of these on AbuseIPDB, and I see there are a few people reporting them for the same DDoS. Are the queries refused because of the dot (.)? In the query log, I also found some 28 IN ANY queries from 7 IPs for xxx.at.fragolina.it, which probably got away with a NXDOMAIN. This morning, queries for IN ANY are filling up a 63% of total queries. Named seems to be pretty quick at discarding them. I'm wondering whether it takes more resources to track and firewall those IPs or just ignore them. I'd be also curious of what they are after. Is there a protest against RFC 8482? It looks pretty nonsensical. Any insight? Best Ale -- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users