named log format (BIND 9.10.2)

rtwingfield

Well-Known Member

Thanks: 3
Messages: 281

#1
I continue to receive query traffic as follows:
28-Feb-2018 08:24:19.885 queries: info: client 192.168.1.1#35561 (6.43.186.222.in-addr.arpa): query: 6.43.186.222.in-addr.arpa IN PTR + (192.168.1.73)
28-Feb-2018 08:24:52.169 queries: info: client 192.168.1.1#32016 (6.43.186.222.in-addr.arpa): query: 6.43.186.222.in-addr.arpa IN PTR + (192.168.1.73)
28-Feb-2018 08:25:27.664 queries: info: client 192.168.1.1#28753 (6.43.186.222.in-addr.arpa): query: 6.43.186.222.in-addr.arpa IN PTR + (192.168.1.73)
over the past months, these arrive approx. every thirty seconds. whois reverals that they come from
inetnum: 222.184.0.0 - 222.191.255.255
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
With apologies, I do not know to interpret the format of the logged data, and I cannot find a clear, concise record layout for the logged data. It looks (to me) like they are looking for a PTR record . . .but why and how can I prevent this from constantly recurring every thirty seconds? Their IP address may change if and when I add the address to a "black-ball" list.

They're hitting my server(s) like A DOS attack.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,346
Messages: 27,540

#2
If you're not hosting an authoritative domain make sure the DNS service isn't accessible from the outside world. If you do host an authoritative domain make sure you're not allowing recursive queries, in other words, make sure it only resolves the hosted domain and cannot resolve anything else. It is quite common for mis-configured DNS servers to be abused in order to amplify a DDoS attack.

https://www.us-cert.gov/ncas/alerts/TA13-088A

But looking at the logs it appears to be a local host; 192.168.1.1 that's trying to reverse resolve an IP address. So I would go and have a look at the 192.168.1.1 host to see what it's doing.
 
Top