Looks like one of my name servers (CentOS 5) gets a lot of malicious queries. The cpu load is constantly about 3 %. I put on stricter limits on who is allowed recursive queries, but this does not affect the CPU load. I also updated bind. I temporarily turned on querylog (command: rndc querylog), and noticed that I get over 200 queries like this per second:> Aug 17 07:41:38 mx2 named[6873]: client 205.145.64.200#53: query (cache) 'ripe.net/ANY/IN' denied > Aug 17 07:41:38 mx2 named[6873]: client 204.10.45.5#53: query (cache) 'ripe.net/ANY/IN' denied > Aug 17 07:41:38 mx2 named[6873]: client 78.40.35.212#53: query (cache) 'ripe.net/ANY/IN' denied > Aug 17 07:41:38 mx2 named[6873]: client 207.207.3.126#53: query (cache) 'ripe.net/ANY/IN' deniedAre there any ways to mitigate this, or do I just have to wait? - Jussi
On 08/16/12 9:54 PM, Jussi Hirvi wrote:>> Aug 17 07:41:38 mx2 named[6873]: client 205.145.64.200#53: query (cache) 'ripe.net/ANY/IN' denied >> >Aug 17 07:41:38 mx2 named[6873]: client 204.10.45.5#53: query (cache) 'ripe.net/ANY/IN' denied >> >Aug 17 07:41:38 mx2 named[6873]: client 78.40.35.212#53: query (cache) 'ripe.net/ANY/IN' denied >> >Aug 17 07:41:38 mx2 named[6873]: client 207.207.3.126#53: query (cache) 'ripe.net/ANY/IN' denied > Are there any ways to mitigate this, or do I just have to wait?meh, if its coming from lots of random hosts, then fail2ban style techniques won't work. I assume this is an authoritative name server? does it have recursive queries disabled so it can only return results for the domain(s) its authoritative for ? -- john r pierce N 37, W 122 santa cruz ca mid-left coast