Strange DNS attack killing syslog

Debian 12 ISPConfig server

My syslog started growing at a spectacular rate in the past 5 days to a point is was filling the whole server disk. This is caused by millions of these type of entries:

Code:

2026-02-12T15:41:55.044210+00:00 v1 named[270743]: client @0x7fce9a3c6498 218.78.140.194#38011 (ofi.com): query (cache) 'ofi.com/ANY/IN' denied (allow-query-cache did not match)

The IP varies so trying to firewall it out is impossible. ofi.com is a Chinese domain and this is not it's nameserver - hence the 'not match'. It doesn't appear to be impacting the load average but the syslog expanding to fill the disk makes it an effective DDOS.

I am coping at the moment by running a cronjob every hour filleting syslog of all ofi.com entries. Can any one tell me anything about this type of attack and any other remedial action I could be taking?

 

Thanks Till. As if by magic the moment I posted the attack paused. It was expanding syslog by 5GB a day so it would have taken less than 5 days to break this server's spare space.

If they restart I will test your suggestion and report back.

 

It did start again . Your suggestion appears tested and working ;-)
Why millions of attempts from multiple servers is needed to probe for a bind misconfiguration is a mystery. Thank you.