[143114] in North American Network Operators' Group
RE: DNS DoS ???
daemon@ATHENA.MIT.EDU (Drew Weaver)
Fri Jul 29 17:01:09 2011
From: Drew Weaver <drew.weaver@thenap.com>
To: 'Elliot Finley' <efinley.lists@gmail.com>, "nanog@nanog.org"
<nanog@nanog.org>
Date: Fri, 29 Jul 2011 17:00:31 -0400
In-Reply-To: <CACRGtSOSPm12YE3S=n801ooun32VrXsRfP7yqO55kcHMSnss9A@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
We've been seeing this for several years on and off.
thanks,
-Drew
-----Original Message-----
From: Elliot Finley [mailto:efinley.lists@gmail.com]=20
Sent: Friday, July 29, 2011 2:51 PM
To: nanog@nanog.org
Subject: DNS DoS ???
my DNS servers were getting slow so I blocked recursive queries for
all but my own network.
Then I was getting so many of these:
ns2 named[5056]: client 78.159.111.190#25345: query (cache)
'isc.org/ANY/IN' denied
that is was still slowing things down. I've since written a script to
watch the log and throw these into the box local firewall. If I
expire the entries after 24 hours then I accumulate about 10200 unique
IPs. If I expire after 48 hours, then it's just over 20000 unique
IPs.
Is anyone else seeing this?
Elliot
