Ping me offline, there are a few other folks who have seen this as well. The isc.org record is commonly used in reflection attacks because the size of the record is so large, so the amplification factor is greatly increased. Can you check to see if +edns=0 was set in the query? That would be a sure sign this is related to what others have seen...
Sorry for the top post, I'm on my iPad. Stefan Fouant JNCIE-M, JNCIE-ER, JNCIE-SEC, JNCI Technical Trainer, Juniper Networks http://www.shortestpathfirst.net http://www.twitter.com/sfouant Sent from my iPad On Jul 29, 2011, at 2:51 PM, Elliot Finley <efinley.li...@gmail.com> wrote: > my DNS servers were getting slow so I blocked recursive queries for > all but my own network. > > Then I was getting so many of these: > > ns2 named[5056]: client 78.159.111.190#25345: query (cache) > 'isc.org/ANY/IN' denied > > that is was still slowing things down. I've since written a script to > watch the log and throw these into the box local firewall. If I > expire the entries after 24 hours then I accumulate about 10200 unique > IPs. If I expire after 48 hours, then it's just over 20000 unique > IPs. > > Is anyone else seeing this? > > Elliot >
