From owner-freebsd-hackers@FreeBSD.ORG Tue Jan 17 03:34:25 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 472A616A41F for ; Tue, 17 Jan 2006 03:34:25 +0000 (GMT) (envelope-from cheesiest@nano.net) Received: from mail.smallweb.com (mail.smallweb.com [216.85.125.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 913C843D49 for ; Tue, 17 Jan 2006 03:34:24 +0000 (GMT) (envelope-from cheesiest@nano.net) Received: from [216.85.125.9] (sixpence.nano.net [216.85.125.9]) by mail.smallweb.com (Rockliffe SMTPRA 5.3.11) with ESMTP id ; Mon, 16 Jan 2006 20:36:28 -0700 Message-ID: <43CC65BC.9040005@nano.net> Date: Mon, 16 Jan 2006 20:34:20 -0700 From: Steve Suhre User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Matt Emmerton References: <43CC59E7.6080505@nano.net> <015901c61b15$898648a0$1200a8c0@gsicomp.on.ca> In-Reply-To: <015901c61b15$898648a0$1200a8c0@gsicomp.on.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-hackers@freebsd.org Subject: Re: Named requests filling up T1 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2006 03:34:25 -0000 >Looks like someone is spamming your DNS server with queries. > >Two questions: >1) Is v.tn.co.za a domain that you are authorative for? >2) Are you an ISP and/or is client 64.18.133.103 authorized to use your DNS >server? > >If the answer to 1) is NO, then there's no reason for these queries to be >directed to your DNS server from the Internet. >If the answer to 2) is NO, then there's no reason for these queries to be >directed to your DNS server from the Internet. > >Source IP filtering is likely your best option, although it doesn't help >with your T1 saturation, although it would give whoever is blasting these >queries a clue. > >-- >Matt Emmerton > > > Thanks Matt, The answer to both is no. The domain doesn't resolve either (v.tn.co.za). It looks like the source IP changes too...sigh.... I tried a whois on the source IP and it was not found, so it may be spoofed? Or someone has a very messed up server... -- Steve Suhre steve@pasta.net 719.439.6052 Cell 719.632.2897 Home