I started getting a ton of these in my DNS logs a few days ago:
Jan 19 05:33:47 comp named[4488]: client 76.9.31.42#55056: query (cache) './NS/IN' denied
Jan 19 05:33:53 comp named[4488]: client 76.9.31.42#30931: query (cache) './NS/IN' denied
Jan 19 05:33:59 comp named[4488]: client 76.9.31.42#31789: query (cache) './NS/IN' denied
Jan 19 05:34:06 comp named[4488]: client 76.9.31.42#38458: query (cache) './NS/IN' denied
Jan 19 05:34:12 comp named[4488]: client 76.9.31.42#31734: query (cache) './NS/IN' denied
Jan 19 05:34:18 comp named[4488]: client 76.9.31.42#52640: query (cache) './NS/IN' denied
Jan 19 05:34:24 comp named[4488]: client 76.9.31.42#12441: query (cache) './NS/IN' denied
Jan 19 05:34:30 comp named[4488]: client 76.9.31.42#20453: query (cache) './NS/IN' denied
I started getting a ton of these in my DNS logs a few days ago:
Jan 19 05:33:47 comp named[4488]: client 76.9.31.42#55056: query (cache) './NS/IN' denied
Jan 19 05:33:53 comp named[4488]: client 76.9.31.42#30931: query (cache) './NS/IN' denied
Jan 19 05:33:59 comp named[4488]: client 76.9.31.42#31789: query (cache) './NS/IN' denied
Jan 19 05:34:06 comp named[4488]: client 76.9.31.42#38458: query (cache) './NS/IN' denied
Jan 19 05:34:12 comp named[4488]: client 76.9.31.42#31734: query (cache) './NS/IN' denied
Jan 19 05:34:18 comp named[4488]: client 76.9.31.42#52640: query (cache) './NS/IN' denied
Jan 19 05:34:24 comp named[4488]: client 76.9.31.42#12441: query (cache) './NS/IN' denied
Jan 19 05:34:30 comp named[4488]: client 76.9.31.42#20453: query (cache) './NS/IN' denied
Doing some research on the IPs, I’ve been seeing some talk about a potential DDoS attack in progress. Basically it’s flooding the spoofed source with replies. To counter this, I thought I would create a rule in fail2ban to block if there are 50 of these in a short span. This effectively is working, but I’m wondering if should just block the problem sources until the storm has passed. Currently, these are the IPs I’m seeing
69.50.142.110
76.9.16.171
76.9.31.42
69.50.142.11
66.230.160.1
66.230.128.15
There are few mentions of this on the web. Dshield seems to be the most active so far:
http://www.dshield.org/indexd.html
There is also a only tool at isc.sans.org where you can verify if your DNS server responds to “.” queries with a full list of root name servers. The link is here:
http://isc1.sans.org/dnstest.html
As you can also see, I commented below with a fail2ban rule to identify and block these.. if they’re being denied.