Monitor REFUSED/denied DNS queries in /var/log/messages
Posted: 14 Mar 2013, 16:20
Is there a way (and if not, can it be added), to monitor the /var/log/messages file for denied/REFUSED dns queries
and block the IP addresses that hit a specific site more than so many times..?
Example:
Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.11#19420: query (cache) 'domainname.com/MX/IN' denied
Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.11#37657: query (cache) 'domainname.com/A/IN' denied
Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.11#34976: query (cache) 'domainname.com/MX/IN' denied
Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.11#59322: query (cache) 'domainname.com/A/IN' denied
Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.10#51881: query (cache) 'domainname.com/MX/IN' denied
Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.10#10887: query (cache) 'domainname.com/A/IN' denied
Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.10#64403: query (cache) 'domainname.com/MX/IN' denied
Since 4 AM (when log files rolled over), there are over 32 thousand hits to this website (which is no longer even hosted with us) from hundreds of different IP addresses. I've been blocking those manually but it's tedious and it's causing our server monitoring system to indicate that the server is down (when in fact it isn't). Ping is very sporadic so I know it is being effected by these queries. Other servers don't have nearly anywhere as many queries as this one server.
and block the IP addresses that hit a specific site more than so many times..?
Example:
Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.11#19420: query (cache) 'domainname.com/MX/IN' denied
Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.11#37657: query (cache) 'domainname.com/A/IN' denied
Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.11#34976: query (cache) 'domainname.com/MX/IN' denied
Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.11#59322: query (cache) 'domainname.com/A/IN' denied
Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.10#51881: query (cache) 'domainname.com/MX/IN' denied
Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.10#10887: query (cache) 'domainname.com/A/IN' denied
Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.10#64403: query (cache) 'domainname.com/MX/IN' denied
Since 4 AM (when log files rolled over), there are over 32 thousand hits to this website (which is no longer even hosted with us) from hundreds of different IP addresses. I've been blocking those manually but it's tedious and it's causing our server monitoring system to indicate that the server is down (when in fact it isn't). Ping is very sporadic so I know it is being effected by these queries. Other servers don't have nearly anywhere as many queries as this one server.