[BlueOnyx:12749] Re: DNS 5106R
Michael Stauber
mstauber at blueonyx.it
Tue Apr 2 18:44:41 -05 2013
Hi Gerald,
> snippet from /var/log/messages
>
> <<<<
> Apr 2 11:50:33 msi3 named[17006]: client 192.151.156.252#39108: query (cache) './ANY/IN' denied
> Apr 2 11:50:33 msi3 named[17006]: client 76.95.158.78#40370: query (cache) './ANY/IN' denied
> Apr 2 11:50:33 msi3 named[17006]: client 199.217.117.95#29174: query (cache) './ANY/IN' denied
> Apr 2 11:50:33 msi3 named[17006]: client 76.95.158.78#40370: query (cache) './ANY/IN' denied
> Apr 2 11:50:33 msi3 named[17006]: client 200.58.97.2#35459: query (cache) './ANY/IN' denied
> Apr 2 11:50:33 msi3 named[17006]: client 76.95.158.78#40370: query (cache) './ANY/IN' denied
> Apr 2 11:50:33 msi3 named[17006]: client 200.58.97.2#35459: query (cache) './ANY/IN' denied
> Apr 2 11:50:33 msi3 named[17006]: client 200.58.97.2#34075: query (cache) './ANY/IN' denied
>
> allow DNS Querry Access
> and
> allow queries from everyone are both checked
Yes, but those are "ANY?" requests and they went to the cache. So they
were not for DNS records that you are authoritative for.
One of two things might have happened there: If you have cache/recursion
turned off (which I assume), then these request were legitimately denied.
Secondly: If these requests came with a frequency that was too high
("ANY?" queries are used in this DDoS attack), then the rate-limits may
have kicked in and blocked the perpetrators. But as far as I remember
from my tests the blocking is logged a bit more descriptive.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list