I noticed that queries for isc.org would come from numerous IP addresses but the source port would be consistent for long period of times. A little jiggery with daemon.log and I got the report below where first column is the number of occurrences of the source port (# separator changed to space for sort/uniq field definition). The port number is the only field I used in this, IP address below is just one of many hits for that port.
Commands used were: sed -e s/#/\ / /var/log/daemon.log |sort -k 8 > ~/sorted uniq -c -d -f 8 ~/sorted |sort -n -r -k 1 |more Does it make sense to look at source port for any level of rate limiting? 4085406 Apr 1 00:00:00 ns3 named[3407]: client 178.32.36.37 25345 (isc.org): query (cache) 'isc.org/ANY/IN' denied 113613 Apr 1 00:06:28 ns3 named[3407]: client 5.135.134.141 26451 (isc.org): query (cache) 'isc.org/ANY/IN' denied 37086 Apr 2 00:10:44 ns3 named[3407]: client 108.59.9.97 49940 (isc.org): query (cache) 'isc.org/ANY/IN' denied 6388 Apr 1 17:22:07 ns3 named[3407]: client 91.102.165.40 41819 (isc.org): query (cache) 'isc.org/ANY/IN' denied 5703 Apr 3 01:28:24 ns3 named[3407]: client 178.32.62.37 57335 (isc.org): query (cache) 'isc.org/ANY/IN' denied 4513 Apr 3 01:41:15 ns3 named[3407]: client 69.60.109.62 32743 (isc.org): query (cache) 'isc.org/ANY/IN' denied 4009 Apr 1 13:29:08 ns3 named[3407]: client 85.180.66.207 28943 (isc.org): query (cache) 'isc.org/ANY/IN' denied 3410 Apr 1 21:18:15 ns3 named[3407]: client 5.135.134.141 38299 (isc.org): query (cache) 'isc.org/ANY/IN' denied 3225 Apr 3 02:07:16 ns3 named[3407]: client 46.105.191.93 31198 (isc.org): query (cache) 'isc.org/ANY/IN' denied 2505 Apr 1 00:01:18 ns3 named[3407]: limit responses to 216.226.125.0/24 2504 Apr 1 00:01:06 ns3 named[3407]: stop limiting error responses to 216.226.125.0/24 2280 Mar 31 22:55:43 ns3 named[3407]: client 5.135.134.141 18406 (isc.org): query (cache) 'isc.org/ANY/IN' denied 2231 Apr 2 00:10:44 ns3 named[3407]: client 108.59.9.97 53501 (isc.org): query (cache) 'isc.org/ANY/IN' denied 2178 Apr 1 15:49:56 ns3 named[3407]: client 178.32.244.171 45813 (isc.org): query (cache) 'isc.org/ANY/IN' denied 1845 Apr 2 18:20:23 ns3 named[3407]: client 62.75.246.181 14716 (isc.org): query (cache) 'isc.org/ANY/IN' denied 1704 Mar 31 15:20:48 ns3 named[3407]: client 176.31.24.240 35853 (isc.org): query (cache) 'isc.org/ANY/IN' denied 1325 Apr 1 14:27:54 ns3 named[3407]: client 37.43.129.10 14898 (isc.org): query (cache) 'isc.org/ANY/IN' denied 1049 Apr 1 18:45:47 ns3 named[3407]: client 178.32.62.37 34424 (isc.org): query (cache) 'isc.org/ANY/IN' denied 1043 Apr 1 20:40:06 ns3 named[3407]: client 5.135.134.141 48733 (isc.org): query (cache) 'isc.org/ANY/IN' denied 1033 Apr 1 13:29:08 ns3 named[3407]: client 85.180.66.207 43639 (isc.org): query (cache) 'isc.org/ANY/IN' denied 1022 Apr 1 19:02:39 ns3 named[3407]: client 208.98.0.3 61182 (isc.org): query (cache) 'isc.org/ANY/IN' denied These are all records where count was above 1000. -- William Brown Core Hosted Application Technical Team and Messaging Team Technology Services, WNYRIC, Erie 1 BOCES (716) 821-7285 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
