Linode.com Forum

[shahim]

Looking through my BIND log, I am seeing a lot of queries like this.

client: debug 3: client 166.111.8.29#53: UDP request
security: debug 3: client 166.111.8.29#53: request is not signed
client: debug 3: client 166.111.8.29#53: query
security: debug 3: client 166.111.8.29#53: query (cache) approved
client: debug 3: client 166.111.8.29#53: send
client: debug 3: client 166.111.8.29#53: sendto
client: debug 3: client 166.111.8.29#53: senddone
client: debug 3: client 166.111.8.29#53: next
client: debug 3: client 166.111.8.29#53: endrequest
client: debug 3: client @0x81a7a40: udprecv

My log file was growing so large from the thousands of reqests from this IP and the other one which I got over few hours. I ended up blocking the other IP because of that.

What does the query "(cache)" mean?
Why I am I getting so many form these two hosts?
Is it a security problem and how can I stop it?

Thanks,
Shahim

[caker]

shahim wrote: What does the query "(cache)" mean?
You're running a caching nameserver, right? Perhaps that is just an indicator that the answer came from your named's cache?

shahim wrote: Why I am I getting so many form these two hosts?
No idea. Either those machines are misconfigured, or someone's doing it intentionally...

shahim wrote: Is it a security problem and how can I stop it?
I don't know if that is the fingerprint of any kind of attack (DoS, break-in, or otherwise). I'd say either turn off recursion, iptable's them off, or lock them out in your named.conf...

-Chris

[shahim]

After going to the linode IRC and with the help I got it turns out that someone has his domain pointing to my name server and I was getting the requests for that domain.
I am trying to contact the registrar and the domain owner to fix that.
I guess he had a caching server on my IPs before.

[jstarks]

Regardless of the problem, you'll probably want to split your nameservers from your DNS cache. See http://cr.yp.to/djbdns/separation.html for more info.