DNS DDOS Attack – would like to understand log

DNS DDOS Attack – would like to understand log

As part of a DOOS attack (largely inefectual) I am currently seeing log messages of the form:

<DATE> client <EXTERNAL-IP>#3074 (<NAME>): query: <SAME-NAME> IN RRSIG + (<ONE-OF-MY-IPs>)

My reading of the DNS log suggests that this is a query coming from < EXTERNAL-IP >, with the result to be sent to < ONE-OF-MY-IPs >. Is that correct?

We are running an older BIND, soon to be upgraded, but I was hoping to understand what this query is actually doing (many are sent).

Edit: Also, would be nice to know how they are able to structure it to send the result to another IP.

Go to Source
Author: RabidMutant