# named log format (BIND 9.10.2)



## rtwingfield (Feb 28, 2018)

I continue to receive query traffic as follows:


> 28-Feb-2018 08:24:19.885 queries: info: client 192.168.1.1#35561 (6.43.186.222.in-addr.arpa): query: 6.43.186.222.in-addr.arpa IN PTR + (192.168.1.73)
> 28-Feb-2018 08:24:52.169 queries: info: client 192.168.1.1#32016 (6.43.186.222.in-addr.arpa): query: 6.43.186.222.in-addr.arpa IN PTR + (192.168.1.73)
> 28-Feb-2018 08:25:27.664 queries: info: client 192.168.1.1#28753 (6.43.186.222.in-addr.arpa): query: 6.43.186.222.in-addr.arpa IN PTR + (192.168.1.73)


over the past months, these arrive approx. every thirty seconds.  _*whois*_ reverals that they come from





> inetnum:        222.184.0.0 - 222.191.255.255
> netname:        CHINANET-JS
> descr:          CHINANET jiangsu province network
> descr:          China Telecom
> ...


With apologies, I do not know to interpret the format of the logged data, and I cannot find a clear, concise record layout for the logged data.  It looks (to me) like they are looking for a PTR record . . .but why and how can I prevent this from constantly recurring every thirty seconds?  Their IP address may change if and when I add the address to a "black-ball" list.

They're hitting my server(s) like A DOS attack.


----------



## SirDice (Feb 28, 2018)

If you're not hosting an authoritative domain make sure the DNS service isn't accessible from the outside world. If you do host an authoritative domain make sure you're not allowing recursive queries, in other words, make sure it only resolves the hosted domain and cannot resolve anything else. It is quite common for mis-configured DNS servers to be abused in order to amplify a DDoS attack.

https://www.us-cert.gov/ncas/alerts/TA13-088A

But looking at the logs it appears to be a local host; 192.168.1.1 that's trying to reverse resolve an IP address. So I would go and have a look at the 192.168.1.1 host to see what it's doing.


----------

