On Fri, 10 Jan 2003, at 22:13 [=GMT-0800], Mark Petersen wrote:
> This is a bit off topic for this list, but I know a few of you run your
> own name servers, so I thought I'd ask. Over the past couple of days,
> we've noticed some very strange DNS traffic patterns on our servers.
> Tons of forward lookups from the same few hosts on a couple of domains
> over and over, and the same type of thing on a few IP's. Tons of reverse
> lookups for the same few IP's from 3 or 4 hosts over and over. And when
> I say "Tons" and "over and over", I mean thousands of requests in a
> matter of a few minutes.
You can blackhole the IPs the queries come from in named.conf by adding
them in the options section:
options {
directory "/etc/namedb";
version "Crackers die younger!";
blackhole { 62.172.234.2; 12.234.42.233; 66.144.66.20; 66.144.66.21;
216.13.93.241; 206.133.126.174; 38.241.107.60; };
};
Do a kill -HUP after changing the conf file.
