Too many records on /var/log/syslog query cache denied

[SalvadorS]

Hello,

I have Debian 7, Plesk 11.5.30 machine. Everyday I have a 100+MB /var/log/syslog file flooded with these records:

Aug  9 08:24:04 server named[12058]: client 80.58.184.132#47270: query (cache) 'mail.domain.com/A/IN' denied
Aug  9 08:27:06 server named[12058]: client 80.58.184.26#31264: query (cache) 'mail.domain.com/A/IN' denied
Aug  9 08:56:54 server named[12058]: client 157.56.96.4#61922: query (cache) 'www.domain.com/A/IN' denied
Aug  9 09:02:23 server named[12058]: client 218.85.152.147#5330: query (cache) 'domain.com/A/IN' denied
Aug  9 09:02:25 server named[12058]: client 218.85.157.18#42071: query (cache) 'www.domain.com/A/IN' denied
Aug  9 09:02:27 server named[12058]: client 218.85.157.18#26811: query (cache) 'domain.com/A/IN' denied
Aug  9 09:04:39 server named[12058]: client 195.140.186.15#14285: query (cache) 'domain.com/MX/IN' denied
Aug  9 09:04:39 server named[12058]: client 195.140.186.15#21900: query (cache) 'ns.domain.com/A/IN' denied
Aug  9 09:13:16 server named[12058]: client 74.125.178.23#51621: query (cache) 'mail.domain.com/AAAA/IN' denied
Aug  9 09:20:16 server named[12058]: client 80.58.184.14#7904: query (cache) 'mail.domain.com/A/IN' denied
Aug  9 09:23:40 server named[12058]: client 5.39.74.10#9726: query (cache) 'domain.com/MX/IN' denied
Aug  9 09:23:40 server named[12058]: client 5.39.74.10#20156: query (cache) 'ns.domain.com/AAAA/IN' denied
Aug  9 09:23:40 server named[12058]: client 5.39.74.10#24196: query (cache) 'ns.domain.com/A/IN' denied
Aug  9 09:28:18 server named[12058]: client 65.55.37.41#38157: query (cache) 'www.domain.com/A/IN' denied
Aug  9 09:39:12 server named[12058]: client 208.69.33.15#61152: query (cache) 'domain.com/MX/IN' denied
Aug  9 09:45:48 server named[12058]: client 74.125.178.23#33881: query (cache) 'mail.domain.com/AAAA/IN' denied
Aug  9 09:49:50 server named[12058]: client 81.47.231.10#9500: query (cache) 'www.domain.com/NS/IN' denied
Aug  9 09:49:50 server named[12058]: client 81.47.231.10#59561: query (cache) 'domain.com/NS/IN' denied
Aug  9 09:57:38 server named[12058]: client 212.89.0.70#43096: query (cache) 'domain.com/A/IN' denied
Aug  9 09:59:46 server named[12058]: client 74.125.185.17#51133: query (cache) 'domain.com/MX/IN' denied
Aug  9 09:59:51 server named[12058]: client 74.125.178.21#50299: query (cache) 'mail.domain.com/AAAA/IN' denied
Aug  9 10:06:57 server named[12058]: client 74.125.181.84#39547: query (cache) 'domain.com/MX/IN' denied
Aug  9 10:09:14 server named[12058]: client 65.55.37.37#32183: query (cache) 'www.domain.com/A/IN' denied
Aug  9 10:10:18 server named[12058]: client 74.125.18.213#35472: query (cache) 'domain.com/MX/IN' denied
Aug  9 10:17:11 server named[12058]: client 209.139.197.125#53858: query (cache) 'domain.com/NS/IN' denied
Aug  9 10:17:11 server named[12058]: client 209.139.197.125#48436: query (cache) 'domain.com/A/IN' denied
Aug  9 10:20:09 server named[12058]: client 178.19.37.55#54109: query (cache) 'domain.com/A/IN' denied
Aug  9 10:20:09 server named[12058]: client 178.19.37.55#53804: query (cache) 'domain.com/MX/IN' denied
Aug  9 10:24:13 server named[12058]: client 74.125.189.21#45530: query (cache) 'domain.com/A/IN' denied
Aug  9 10:30:26 server named[12058]: client 74.125.187.16#38571: query (cache) 'domain.com/MX/IN' denied
Aug  9 10:30:28 server named[12058]: client 64.18.3.254#27182: query (cache) 'mail.domain.com/A/IN' denied
Aug  9 10:33:55 server named[12058]: client 213.180.212.34#50027: query (cache) 'www.domain.com/A/IN' denied
Aug  9 10:35:36 server named[12058]: client 81.47.231.138#18211: query (cache) 'www.domain.com/A/IN' denied
Aug  9 10:35:36 server named[12058]: client 81.47.231.138#33299: query (cache) 'domain.com/A/IN' denied
Aug  9 10:35:51 server named[12058]: client 208.43.118.3#61535: query (cache) 'www.domain.com/AAAA/IN' denied
Aug  9 10:35:52 server named[12058]: client 208.43.118.2#62291: query (cache) 'www.domain.com/A/IN' denied
Aug  9 10:35:53 server named[12058]: client 208.43.118.2#51230: query (cache) 'domain.com/A/IN' denied
Aug  9 10:36:58 server named[12058]: client 213.98.99.27#26878: query (cache) 'domain.com/A/IN' denied
Aug  9 10:38:17 server named[12058]: client 62.245.148.17#4501: query (cache) 'domain.com/A/IN' denied
Aug  9 10:42:03 server named[12058]: client 193.0.248.157#40524: query (cache) 'domain.com/MX/IN' denied
Aug  9 10:43:45 server named[12058]: client 74.125.18.84#47232: query (cache) 'domain.com/TXT/IN' denied
Aug  9 10:56:03 server named[12058]: client 157.56.96.8#48514: query (cache) 'www.domain.com/A/IN' denied
Aug  9 11:05:07 server named[12058]: client 65.55.81.6#54679: query (cache) 'domain.com/TXT/IN' denied
Aug  9 11:05:07 server named[12058]: client 65.55.81.8#5132: query (cache) 'domain.com/MX/IN' denied
Aug  9 11:05:08 server named[12058]: client 65.55.81.7#41913: query (cache) 'domain.com/A/IN' denied
Aug  9 11:12:24 server named[12058]: client 77.88.42.26#5335: query (cache) 'www.domain.com/A/IN' denied
Aug  9 11:12:24 server named[12058]: client 77.88.42.26#5335: query (cache) 'domain.com/A/IN' denied
Aug  9 11:15:39 server named[12058]: client 5.39.111.26#50224: query (cache) 'mail.domain.com/A/IN' denied
Aug  9 11:15:55 server named[12058]: client 81.47.231.22#27151: query (cache) 'www.domain.com/A/IN' denied
Aug  9 11:21:12 server named[12058]: client 157.56.96.9#8240: query (cache) 'www.domain.com/A/IN' denied
Aug  9 11:31:49 server named[12058]: client 91.80.36.251#41631: query (cache) 'domain.com/A/IN' denied
Aug  9 11:31:49 server named[12058]: client 91.80.36.251#31556: query (cache) 'www.domain.com/A/IN' denied
Aug  9 11:32:25 server named[12058]: client 74.125.187.211#54058: query (cache) 'mail.domain.com/AAAA/IN' denied
Aug  9 11:32:26 server named[12058]: client 74.125.186.149#58253: query (cache) 'mail.domain.com/A/IN' denied
Aug  9 11:33:02 server named[12058]: client 60.215.138.233#14796: query (cache) 'domain.com/A/IN' denied
Aug  9 11:33:04 server named[12058]: client 74.125.16.215#64555: query (cache) 'www.domain.com/A/IN' denied
Aug  9 11:36:26 server named[12058]: client 81.47.231.144#40121: query (cache) 'mail.domain.com/A/IN' denied
Aug  9 11:41:58 server named[12058]: client 74.125.178.18#51830: query (cache) 'mail.domain.com/AAAA/IN' denied

domain.com are domains which were hosted on this server (they have a DNS record of this server) but now they are not hosted or directly never been hosted with us (but they have the DNS of this machine)

What is this? Is it correct?

 

[IgorG]

Those are reverse DNS queries which are denied and are logged. Such attempts are mostly carried out from hacked servers. It may be DNS DDoS attack. If the requests are coming from same IP OR subnet, block them and notify the owner of the IP.

 

[SalvadorS]

Thanks for the quick reply Igor.

I check the rest of my servers and all have that records in syslog file. Also I don´t thnk it is a DDoS attack, see these two lines:

Aug 9 10:24:13 server named[12058]: client 74.125.189.21#45530: query (cache) 'domain.com/A/IN' denied
Aug 9 10:30:26 server named[12058]: client 74.125.187.16#38571: query (cache) 'domain.com/MX/IN' denied

A whois to the IP:

IP Address 74.125.187.16
Host 74.125.187.16
Location US, United States
City Mountain View, CA 94043
Organization Google Translate
ISP Google
AS Number AS15169 Google Inc.

It seems google check the dns of domain.com and domain.com have the DNS of this server but it is not hosted in this server... It is a possibility?