I've seen this for the same on about 3 sets of nameservers I operate. fail2ban doing a 72 hour iptables drop rule. -----Original Message----- From: Drew Weaver [mailto:drew.weaver@thenap.com] Sent: Friday, July 29, 2011 3:01 PM To: 'Elliot Finley'; nanog@nanog.org Subject: RE: DNS DoS ??? We've been seeing this for several years on and off. thanks, -Drew -----Original Message----- From: Elliot Finley [mailto:efinley.lists@gmail.com] Sent: Friday, July 29, 2011 2:51 PM To: nanog@nanog.org Subject: DNS DoS ??? my DNS servers were getting slow so I blocked recursive queries for all but my own network. Then I was getting so many of these: ns2 named[5056]: client 78.159.111.190#25345: query (cache) 'isc.org/ANY/IN' denied that is was still slowing things down. I've since written a script to watch the log and throw these into the box local firewall. If I expire the entries after 24 hours then I accumulate about 10200 unique IPs. If I expire after 48 hours, then it's just over 20000 unique IPs. Is anyone else seeing this? Elliot