HIDS 12150
Rule 12150 | |
---|---|
Status | Active |
Alert Message | Bind DNS invalid query flood |
Contents |
Description
ASL does not cause this event to occur. ASL simply reports when your DNS server has rejected multiple queries from a single remote IP address, within 10 seconds, to your DNS server. ASL is not preventing your system from answering these queries, this event is occurring because your DNS server has been configured to reject these requests.
Please contact your DNS vendor for assistance if you believe your DNS server should not have rejected these queries as ASL does not configure your DNS server to do this.
Disabling this rule will have no effect on your DNS server rejecting these queries. Disabling this rule will just prevent ASL from notifying you when this occurs, however the event will continue to occur. Therefore we do not recommend you disable this rule.
The most common cause of this occurs when a DNS server is configured to not service recursive queries (which is generally recommended), and a host is listed as an authoritative source for a DNS zone when it is not, and remote clients/servers continue to query the host for records for this domain.
Log examples
Jan 1 10:19:01 hostname named[1234]: client 1.2.3.4#1234: view external: query (cache) `hostname/tld/MX/IN` denied
Troubleshooting
False Positives
None.
Additional Information
Similar Rules
None.
Knowledge Base Articles
None.