DNS DDOS Attack – would like to understand log
As part of a DOOS attack (largely inefectual) I am currently seeing log messages of the form:
<DATE> client <EXTERNAL-IP>#3074 (<NAME>): query: <SAME-NAME> IN RRSIG + (<ONE-OF-MY-IPs>)
My reading of the DNS log suggests that this is a query coming from < EXTERNAL-IP >, with the result to be sent to < ONE-OF-MY-IPs >. Is that correct?
We are running an older BIND, soon to be upgraded, but I was hoping to understand what this query is actually doing (many are sent).
Edit: Also, would be nice to know how they are able to structure it to send the result to another IP.
Go to Source