On Sun 05/Apr/2026 19:06:47 +0200 Grant Taylor wrote:
On 4/4/26 6:50 AM, Alessandro Vesely wrote:
yesterday I got 124,646 queries in ten minutes, between 1:50 and 2:00 AM UTC,
from 4,287 different IPs. The top IP was
2001:19f0:5401:2e01:5400:3ff:fed1:9863 with 47,304 queries for 5,261
subdomains, e.g. serverselect.tana.it, nu.tana.it, ll.tana.it,
ghsms.tana.it, dragoner.tana.it, cinemathe.tana.it, bluefire.tana.it,
umk.tana.it, tyche.tana.it, tsvb.tana.it.
I'm not sure how to filter for sub-domains.
In the distant past I've used iptables' L7 filtering capability to filter out
queries for a fixed domain name. In short, I constructed the hexadecimal
sequence at a position to look for and dropped the packet.
I don't think it's worth to bring up the kernel when named can do it. Now I've
rate limited nxdomains-per-second to 2. (Perhaps I should've set 1.)
When I designed the firewall, I didn't bother monitoring UDP connections to
port 53. It seemed to me like named could take care of itself. However, I
didn't configure any intrusion prevention features either. Are there any I
should enable?
response rate limiting (see Nick's reply).
I'm surprised that the queries came from so many different (likely spoofed)
IPs. It seems like if it was a reflected attack (to likely spoofed IPs) there
wouldn't be that many sources. Was there any commonality to the source IPs?
Aggregate network? ASN?
They taste like DoS attacks, only they're too weak to be effective. I'd guess
something like keeping fit for it. I usually get swarms of connections to 443,
without querying anything, from bunch of hosts of the same ISP, and cannot find
any other explanation for this activity.
Best
Ale
--
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
