RE: client ... query (cache) './NS/IN' denied:
I know... That is why I have been posting the IP address. I now block 3980 IP address from our NS servers. Most of them attempt to ssh to our www server and fail, when they do that, I block the IP. Some the same IP's must have been running the DoS since they are no longer able to do so on NS1. I have replicated the block list to NS2 to see, I should know by tomorrow, if NS2 stops getting them as well. On a related topic: Is there anyway to test for poisoning? How can you tell if you are or are not poisoned. Date: Fri, 19 Aug 2011 09:33:29 +0800 Subject: Re: client ... query (cache) './NS/IN' denied: From: short...@gmail.com To: shashan...@hotmail.com CC: bind-users@lists.isc.org On Fri, Aug 19, 2011 at 3:24 AM, Shawn Bakhtiar shashan...@hotmail.com wrote: Hi all, For the first time my primary name server is not reporting any more client XXX.XXX.XXX.XXX query (cache) './NS/IN' denied: 1 Time(s) This is a DNS attacking. Many DNS Servers are meeting this kind of attack each day here. The traffic is huge, once I noticed the traffic to one of my NS host is 1.6G. It's a DDoS that will make your DNS can't serve at all. Regards. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
client ... query (cache) './NS/IN' denied:
Hi all, For the first time my primary name server is not reporting any more client XXX.XXX.XXX.XXX query (cache) './NS/IN' denied: 1 Time(s) I use authfail on it to insert any IP attempting to ssh in, and failing more than three times. I checked the current blocked IP address from the NS1 (name server), against the last list I saved, and this is the diff iptables -I INPUT -s 203.116.40.105/32 -j DROP iptables -I INPUT -s 75.98.70.11/32 -j DROP iptables -I INPUT -s 202.93.212.37/32 -j DROP iptables -I INPUT -s 41.222.10.230/32 -j DROP iptables -I INPUT -s 193.231.27.8/32 -j DROP iptables -I INPUT -s 75.102.10.231/32 -j DROP iptables -I INPUT -s 77.222.43.28/32 -j DROP iptables -I INPUT -s 67.205.103.187/32 -j DROP iptables -I INPUT -s 173.246.100.44/32 -j DROP iptables -I INPUT -s 147.102.208.41/32 -j DROP iptables -I INPUT -s 113.31.19.111/32 -j DROP It has to be one or several of these IP address that are doing it. My NS2 (secondary name server) is still doing it. I'm going to upload the entire 3980 blocked IP's to it, and see if it stops. If it does, the offender has to be somewhere in this list. :) Is there also a good test to check and see if I can / am poisoned? Hope this helps, Shawn ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: client ... query (cache) './NS/IN' denied:
On Fri, Aug 19, 2011 at 3:24 AM, Shawn Bakhtiar shashan...@hotmail.com wrote: Hi all, For the first time my primary name server is not reporting any more client XXX.XXX.XXX.XXX query (cache) './NS/IN' denied: 1 Time(s) This is a DNS attacking. Many DNS Servers are meeting this kind of attack each day here. The traffic is huge, once I noticed the traffic to one of my NS host is 1.6G. It's a DDoS that will make your DNS can't serve at all. Regards. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users