From: Jussi Hirvi <listmember at greenspot.fi> > On 17.8.2012 8.18, John R Pierce wrote: >> meh, if its coming from lots of random hosts, then fail2ban style >> techniques won't work. I assume this is an authoritative name server? >> does it have recursive queries disabled so it can only return results >> for the domain(s) its authoritative for ? > > Yes, it is authoritative. Recursive queries were open very widely. That > may be why I started to get plenty of requests. But I think that 240 per > second is not normal anymore, it must me malicious. > > I believe my name server was used as a mediator only, and the real > target (through recursive queries) was some other public nameserver. > > This morning I restricted recursive queries to trusted networks only. > The load dropped slowly to 20 % of what it was before. Maybe it is this: http://arstechnica.com/business/2012/03/how-anonymous-plans-to-use-dns-as-a-weapon/ JD