Strange DNS attack killing syslog

Debian 12 ISPConfig server

My syslog started growing at a spectacular rate in the past 5 days to a point is was filling the whole server disk. This is caused by millions of these type of entries:

Code:

2026-02-12T15:41:55.044210+00:00 v1 named[270743]: client @0x7fce9a3c6498 218.78.140.194#38011 (ofi.com): query (cache) 'ofi.com/ANY/IN' denied (allow-query-cache did not match)

The IP varies so trying to firewall it out is impossible. ofi.com is a Chinese domain and this is not it's nameserver - hence the 'not match'. It doesn't appear to be impacting the load average but the syslog expanding to fill the disk makes it an effective DDOS.

I am coping at the moment by running a cronjob every hour filleting syslog of all ofi.com entries. Can any one tell me anything about this type of attack and any other remedial action I could be taking?

 

Thanks Till. As if by magic the moment I posted the attack paused. It was expanding syslog by 5GB a day so it would have taken less than 5 days to break this server's spare space.

If they restart I will test your suggestion and report back.

 

It did start again . Your suggestion appears tested and working ;-)
Why millions of attempts from multiple servers is needed to probe for a bind misconfiguration is a mystery. Thank you.

 

It is most probably a amplification attack. Request packets are small, but the response to the request can be significantly larger. If the attacker spoofs the requesting IP, they can generate massive traffic to that IP. For example, the answer to the request for ofi.com is over 5000 bytes in size.

 

Worryingly because I have suppressed the syslog messages won't be stopping the attack continuing. Is there anything I can do to stop the feedback short of disabling BIND? - which is not an option.