named query (cache)

[Migdiradmin]

I see this in logs, i have to do anything to prevent this?

I dont recognize this domains and ips.

server named[3091]: client @0x7f1cf00c6370 34.205.87.215#36354 (tjhhbsnjggqfim.com): query (cache) 'tjhhbsnjggqfim.com/AAAA/IN' denied
server named[3091]: client @0x7f1cf00c6370 34.205.87.215#34518 (tjhhbsnjggqfim.com): query (cache) 'tjhhbsnjggqfim.com/SOA/IN' denied
server named[3091]: client @0x7f1cf00c6370 34.205.87.215#53468 (tjhhbsnjggqfim.com): query (cache) 'tjhhbsnjggqfim.com/A/IN' denied
server named[3091]: client @0x7f1cf00c6370 3.231.225.187#34563 (pomgaypetpkigr.com): query (cache) 'pomgaypetpkigr.com/SOA/IN' denied
server named[3091]: client @0x7f1cf00c6370 3.231.225.187#34855 (pomgaypetpkigr.com): query (cache) 'pomgaypetpkigr.com/A/IN' denied
server named[3091]: client @0x7f1cf00c6370 3.231.225.187#48870 (pomgaypetpkigr.com): query (cache) 'pomgaypetpkigr.com/AAAA/IN' denied

 

[Richard G]

You can safely ignore them. Those are mostly bots or hackers trying to use your nameserver to lookup domains, we have the same.
Since it says "denied", their request is denied so it's all good.

I wouldn't bother about it. If you want to change logging, you can change options in /etc/named.conf to your needs:

BIND Logging - some basic recommendations

Recommended settings and templates for effective and practical BIND 9 log files.

kb.isc.org

 

[ericc]

I wouldn't bother about it.

Even if it is a DNS flood?

If you want to change logging, you can change options in /etc/named.conf to your needs:

I would recommend this:

print-time yes;

 

[Richard G]

Even if it is a DNS flood?

Yes, unless you have an idea to block queries to your server without having queries to your customer domains blocked also. If you have idea's about that I'm interested.

Using "print-time yes" is an option. I have some loggin in place which generates different log files for named things. It's just what one wants.

 

[ericc]

Yes, unless you have an idea to block queries to your server without having queries to your customer domains blocked also. If you have idea's about that I'm interested.

Not sure what's wrong with blocking IPs (considering they are not spoofed), which are sending tons of DNS queries for non-existing domains to your (production?) server?

 

[Richard G]

No nothing wrong with that indeed. If they are indeed flooding, as long as one takes care that no decent dns are blocked by accident.
Blocking them... well... how, with a regexp in CSF or something like that? You probably can, with the risk that you block spoofed ip's. That's ofcourse everybody's own choice, if it's indeed a flood of tons of queries.
Blocking ip's still gives the traffic until your server, so I don't know for sure if it really fixes things.

I only pointed out that if it's not a real flood, you can just ignore them which is better in that case.

 

[ericc]

Blocking ip's still gives the traffic until your server, so I don't know for sure if it really fixes things.

Yes, there must be custom rules and these things must be under supervision, but then you don't need to waste your server resources on processing such kind of stuff. If you are running separate DNS servers (as I do) and they are half-idling 99.9% of time, then (perhaps) there is no point in putting additional efforts. Doesn't mean that you are safe though.

 

[Richard G]

ut then you don't need to waste your server resources on processing such kind of stuff

But instead of that you waste personal time on supervision and extra blocking lines in the firewall also cost resources if it are that many. How often does one encounter a DNS flood? We do have seperate DNS servers and almost never a DNS flood.
One is never 100% safe.
So I agree with you partly. You should do something against it if one encounters more often big DNS floods which cause trouble.
But if it's seldom, or almost never, one can better just ignore the flood lines.

 

[ericc]

But if it's seldom, or almost never

Just like pandemic.