lots of dns requests from China, should I worry?
Solution 1:
What is going on here? Is my name server under attack? Can I do something about this?
What is going on here?
It's impossible to tell from the munged log entries. Here are just a few possibilities:
- Your service is popular in China. Congrats
- Someone misconfigured a script that uses your API
- Someone's running code that gathers DNS information for billions of domains. Yours is one of them
- A spammer is spoofing your domain and a mail server is checking DNS records as part of an antispam solution
- You're under attack
Is my name server under attack?
At 5-10 DNS requests/sec from a handful of IPs? Doubtful. Most DNS attacks I know of use specially crafted requests to mess with your server's internal functionality or overwhelm its resources. Generally, if you have to ask, you're not under attack.
Can I do something about this?
Sure, you can block the offending IPs in your firewall or install the aforementioend Fail2Ban tool.
But should you?
Remember, your DNS server's entire job is to answer requests. You noticed this after you turned on query logging and watched the output. Are you seeing crazy CPU usage? Network IO? Are other, known-legitimate requests going unserved due to resource contention?
If not, why would you block them? Let the protocols work the way they're designed. If you want cleaner logs, turn off query logging until you need to diagnose a problem.
Solution 2:
Someone is abusing your DNS server to perform an amplification attack against the IP address 121.12.173.191
, which is being spoofed by the attackers.
Since DNS mostly uses UDP which is a connectionless protocol it is trivial to spoof the source address of a query and have the (larger) response be sent back to the real owner of that spoofed address.
The use of ANY
queries to achieve amplification is well known in DNS circles, but only relatively recently seen misused by hackers.
It it likely that if you monitored the IP TTLs of the inbound packets that they will be inconsistent - indicating that the spoofed packets are taking many different paths to reach you even though they all appear to be from the same place.
You may well only be seeing 5-10 packets per second, but the attackers will be using many other hosts to saturate the target address.
Solution 3:
While Fail2ban would work (I recommend it for many purposes) if you're seeing the same IP over and over, unchanging, there's no reason not to just drop it altogether.
Block it at your firewall or use IPTables.
iptables -A INPUT -s 121.12.173.191 -j DROP
That should get rid of the requests.
If you see other sources hitting your server, then you can either use IPTables to block requests from anything that isn't from your network or use fail2ban to use temporary blocking.
Fail2ban uses IPTables anyway to block requests, so permanently adding it isn't a stretch. You'll also want to look up on your distro how to make the change permanent (usually your network scripts at startup). If you're behind a firewall, I'd highly recommend blocking the IP there first.
Regardless how you do it make sure you document that you did this so you're (or your replacement is) not stuck figuring out a few months from now why it was done.