lots of dns requests from China, should I worry?

Posted by nn4l on Server Fault See other posts from Server Fault or by nn4l
Published on 2012-04-07T10:58:30Z Indexed on 2012/04/07 11:33 UTC
Read the original article Hit count: 261

Filed under:

dns

|

bind

|

ddos

I have turned on dns query logs, and when running "tail -f /var/log/syslog" I see that I get hundreds of identical requests from a single ip address:

Apr  7 12:36:13 server17 named[26294]: client 121.12.173.191#10856: query: mydomain.de IN ANY +
Apr  7 12:36:13 server17 named[26294]: client 121.12.173.191#44334: query: mydomain.de IN ANY +
Apr  7 12:36:13 server17 named[26294]: client 121.12.173.191#15268: query: mydomain.de IN ANY +
Apr  7 12:36:13 server17 named[26294]: client 121.12.173.191#59597: query: mydomain.de IN ANY +

The frequency is about 5 - 10 requests per second, going on for about a minute. After that the same effect repeats from a different IP address. I have now logged about 10000 requests from about 25 ip addresses within just a couple of hours, all of them come from China according to "whois [ipaddr]".

What is going on here? Is my name server under attack? Can I do something about this?

© Server Fault or respective owner

Related posts about dns

Master/Slave DNS setup vs. rsync'ed DNS servers

as seen on Server Fault - Search for 'Server Fault'
We currently have primary and secondary DNS servers on our corporate network. They are setup in a master/slave type setup, where the slave gets its DNS information from the master. I'm trying to figure out what the real advantage is for the master/slave setup instead of just setting up an automated… >>> More
Updating Windows DNS records from a remote windows DNS server

as seen on Server Fault - Search for 'Server Fault'
Does anyone know if it is possible for a windows 2003 DNS server to update the records for a domain so that it contains all the records of a domain of of a remotely based DNS server? Im almost certain that doesn't quite explain the problem so I shall illustrate with an example: We have two offices… >>> More
OpenVPN DNS: VPN DNS stomping local VPN

as seen on Super User - Search for 'Super User'
I've finally noodled with OpenVPN enough to get it working. Even better, I can mount samba drives, ping network machines through the TUN device, etc - it's all great. However, I'm noticing that if I have the directive: push "dhcp-option DNS 10.0.1.1" # Push our local DNS to clients Then some of… >>> More
Random DNS Client Issue with BIND9/Windows Server 2003 DNS

as seen on Stack Overflow - Search for 'Stack Overflow'
Within our office, we have a local server running DNS, for internal related "domains", (e.g. .internal, .office, .lan, .vpn, etc.). Randomly, only the hosts configured with those extensions will stop resolving on the Windows-based workstations. Sometimes it'll work for a couple weeks without issue… >>> More
DNS Tools - DNS and Few of its Concerning Terms and Tools

as seen on Article City - Search for 'Article City'
A DNS or Domain Name System lets you locate computers on a network or the Internet TCP/IP network by domain name. The DNS server sustains a database of domain names or host names along with their cor... [Author: Daisy Osbaldo - Computers and Internet - April 02, 2010] >>> More

Related posts about bind

ubuntu bind9 AppArmor read permission denied (chroot jail)

as seen on Server Fault - Search for 'Server Fault'
I am trying to run bind9 with chroot jail. I followed the steps mentioned at : http://www.howtoforge.com/debian_bind9_master_slave_system I am getting the following errors in my syslog: Jul 27 16:53:49 conf002 named[3988]: starting BIND 9.7.3 -u bind -t /var/lib/named Jul 27 16:53:49 conf002 named[3988]:… >>> More
setting up bind to work with nsupdate (SERVFAIL)

as seen on Server Fault - Search for 'Server Fault'
I'm trying to update my DNS-Server dynamically using nsupdate. Prerequisite I'm using Debian 6 on my DNS-Server and Debian 4 on my client. I created a public/private key pair using: dnssec-keygen -C -a HMAC-MD5 -b 512 -n USER sub.example.com. I then edited my named.conf.local to contain my public… >>> More
BIND DNS Master with Zerigo Slaves - BIND won't update the slave servers

as seen on Server Fault - Search for 'Server Fault'
I've tried to resolve this myself and have looked through Google and Stack but haven't found the answer I'm looking for. Currently on a VPS server I have BIND DNS installed as a MASTER DNS Server. I use Zerigo's DNS service as SLAVE servers for public use: The Master doesn't receive queries - It's… >>> More
How do I prevent directories mounted with 'bind' from appearing on 'Devices' on nautilus?

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have these lines in the fstab # binds /media/DataNtfs/Music /home/can/Music none rw,bind /media/DataNtfs/Pictures /home/can/Pictures none rw,bind /media/DataNtfs/Downloads /home/can/Downloads none rw,bind /media/DataNtfs/Documents… >>> More
C++ question: boost::bind receive other boost::bind

as seen on Stack Overflow - Search for 'Stack Overflow'
I want to make this code work properly, what should I do? giving this error on the last line. what am I doing wrong? i know boost::bind need a type but i'm not getting. help class A { public: template <class Handle> void bindA(Handle h) { h(1, 2); } }; class B { public: void… >>> More