DNS/BIND log question

Looking through my BIND log, I am seeing a lot of queries like this.

client: debug 3: client 166.111.8.29#53: UDP request

security: debug 3: client 166.111.8.29#53: request is not signed

client: debug 3: client 166.111.8.29#53: query

security: debug 3: client 166.111.8.29#53: query (cache) approved

client: debug 3: client 166.111.8.29#53: send

client: debug 3: client 166.111.8.29#53: sendto

client: debug 3: client 166.111.8.29#53: senddone

client: debug 3: client 166.111.8.29#53: next

client: debug 3: client 166.111.8.29#53: endrequest

client: debug 3: client @0x81a7a40: udprecv

My log file was growing so large from the thousands of reqests from this IP and the other one which I got over few hours. I ended up blocking the other IP because of that.

What does the query "(cache)" mean?

Why I am I getting so many form these two hosts?

Is it a security problem and how can I stop it?

Thanks,

Shahim

3 Replies

@shahim:

What does the query "(cache)" mean?
You're running a caching nameserver, right? Perhaps that is just an indicator that the answer came from your named's cache?

@shahim:

Why I am I getting so many form these two hosts?
No idea. Either those machines are misconfigured, or someone's doing it intentionally…

@shahim:

Is it a security problem and how can I stop it?
I don't know if that is the fingerprint of any kind of attack (DoS, break-in, or otherwise). I'd say either turn off recursion, iptable's them off, or lock them out in your named.conf…

-Chris

After going to the linode IRC and with the help I got it turns out that someone has his domain pointing to my name server and I was getting the requests for that domain.

I am trying to contact the registrar and the domain owner to fix that.

I guess he had a caching server on my IPs before.

Regardless of the problem, you'll probably want to split your nameservers from your DNS cache. See http://cr.yp.to/djbdns/separation.html for more info.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct