named log format (BIND 9.10.2)


Well-Known Member

Thanks: 3
Messages: 281

I continue to receive query traffic as follows:
28-Feb-2018 08:24:19.885 queries: info: client ( query: IN PTR + (
28-Feb-2018 08:24:52.169 queries: info: client ( query: IN PTR + (
28-Feb-2018 08:25:27.664 queries: info: client ( query: IN PTR + (
over the past months, these arrive approx. every thirty seconds. whois reverals that they come from
inetnum: -
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
With apologies, I do not know to interpret the format of the logged data, and I cannot find a clear, concise record layout for the logged data. It looks (to me) like they are looking for a PTR record . . .but why and how can I prevent this from constantly recurring every thirty seconds? Their IP address may change if and when I add the address to a "black-ball" list.

They're hitting my server(s) like A DOS attack.


Staff member

Thanks: 6,609
Messages: 28,149

If you're not hosting an authoritative domain make sure the DNS service isn't accessible from the outside world. If you do host an authoritative domain make sure you're not allowing recursive queries, in other words, make sure it only resolves the hosted domain and cannot resolve anything else. It is quite common for mis-configured DNS servers to be abused in order to amplify a DDoS attack.

But looking at the logs it appears to be a local host; that's trying to reverse resolve an IP address. So I would go and have a look at the host to see what it's doing.