On 03/08/2022 19:08, Mark Milhollan wrote: > On Tue, 2 Aug 2022, Robert Moskowitz wrote: > >> I just, maybe, figured out why I have been having problems with my >> CentOS DNS server with BIND 9.11.4. >> >> Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 >> 114.29.194.4#11205 (.): view external: query (cache) './A/IN' denied >> Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 >> 114.29.216.196#64956 (.): view external: query (cache) './A/IN' denied >> Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 >> 64.68.114.141#39466 (.): view external: query (cache) './A/IN' denied >> Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 >> 209.197.198.45#13280 (.): view external: query (cache) './A/IN' denied >> Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 >> 114.29.202.117#41955 (.): view external: query (cache) './A/IN' denied >> Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 >> 62.109.204.22#4406 (.): view external: query (cache) './A/IN' denied >> Aug 2 15:47:49 onlo named[6155]: client @0xa9420720 64.68.104.9#38518 >> (.): view external: query (cache) './A/IN' denied >> Aug 2 15:47:50 onlo named[6155]: client @0xaa882dc8 >> 114.29.202.117#9584 (.): view external: query (cache) './A/IN' denied > > Usually that's someone hoping to use you in a reflection attack, which > is successful since UDP can be forged but it hasn't got the volume it > might if you answered differently (with a referral). Sometimes it is a > policy denial attack, hoping you will block the apparent source thus > denying it service. > > The only way to stop it is for all others to employ BCP 38 which will > likely never happen, or for you to stop allowing outside use of your > nameserver which means having someone else handle DNS for you (which > just seems to stop it, from your perspective). > > It shouldn't cause problems unless your server is vastly underpowered. > What problems are you experiencing? > > Enabling rate limiting in BIND can help. https://kb.isc.org/docs/aa-00994