On 08/08/2016 20:59, Frank Even wrote: > Thanks for the info. Also I'll have to note that I completely missed > that the "offending IP" is one of the .uk root servers so the next > logical conclusion is I've probably got a box in one of my environments > driving an amplification attack of some sort or something at those IPs > that I need to figure out. Sorry for the bother and thanks for the > feedback. Much appreciated.
The host in question (156.154.100.3) is nsa.nic.uk, but is actually operated by UltraDNS / Neustar. However to me it looks like _you're_ the one sending the queries, as evidenced by the 'A?' in your tcpdump log (where the ? indicates query, and 'A' on its own would be the response) and also the destination port of 53. Ray _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
