On 8/2/22 14:03, Robert Moskowitz wrote:
I just, maybe, figured out why I have been having problems with my
CentOS DNS server with BIND 9.11.4.
Can you tell us more about what problem you've been having?
Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205
(.): view external: query (cache) './A/IN' denied
grep -c denied messages
46038
And that is since Jul 31 3am.
If I'm not mistaken, your system is averaging one query denied every 4.6
seconds. That's not a large volume, as an average. Probably not a
DDOS... A DNS server connected to the internet is very likely to get
occasional q ueries.
Anyone have recommendations on how to stop this?
If this server is the authoritative server for domains: completely turn
off recursive support. Authoritative servers should serve their
authoritative domains, only.
If this server offers recursive queries to your local network, use its
firewall to allow traffic from the networks that are allowed to make
queries, and drop all other traffic.
Disable connection tracking for port 53 in your firewall.
https://kb.isc.org/docs/bind-best-practices-recursive
https://kb.isc.org/docs/aa-01183
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
