DNS/BIND log question
client: debug 3: client 166.111.8.29#53: UDP request
security: debug 3: client 166.111.8.29#53: request is not signed
client: debug 3: client 166.111.8.29#53: query
security: debug 3: client 166.111.8.29#53: query (cache) approved
client: debug 3: client 166.111.8.29#53: send
client: debug 3: client 166.111.8.29#53: sendto
client: debug 3: client 166.111.8.29#53: senddone
client: debug 3: client 166.111.8.29#53: next
client: debug 3: client 166.111.8.29#53: endrequest
client: debug 3: client @0x81a7a40: udprecv
My log file was growing so large from the thousands of reqests from this IP and the other one which I got over few hours. I ended up blocking the other IP because of that.
What does the query "(cache)" mean?
Why I am I getting so many form these two hosts?
Is it a security problem and how can I stop it?
Thanks,
Shahim
3 Replies
@shahim:
What does the query "(cache)" mean?
You're running a caching nameserver, right? Perhaps that is just an indicator that the answer came from your named's cache?
@shahim:
Why I am I getting so many form these two hosts?
No idea. Either those machines are misconfigured, or someone's doing it intentionally…
@shahim:
Is it a security problem and how can I stop it?
I don't know if that is the fingerprint of any kind of attack (DoS, break-in, or otherwise). I'd say either turn off recursion, iptable's them off, or lock them out in your named.conf…
-Chris
I am trying to contact the registrar and the domain owner to fix that.
I guess he had a caching server on my IPs before.
http://cr.yp.to/djbdns/separation.html