How to prevent an on-going DNS reflection attack?

[jols]

We are serving DNS from this server. Running WHM 11.32.4 (build 15).

Our /var/log/messages is full of entries like this:

Sep 22 04:52:05 apogee named[32381]: client 62.6.40.178#48758: view external: query (cache) 'homefarmland.com/MX/IN' denied
Sep 22 04:52:06 apogee named[32381]: client 24.197.239.154#52579: view external: query (cache) 'homefarmland.com/MX/IN' denied
Sep 22 04:52:07 apogee named[32381]: client 74.125.181.25#65069: view external: query (cache) 'stevengoodphoto.com/A/IN' denied
Sep 22 04:52:07 apogee named[32381]: client 74.125.17.91#52658: view external: query (cache) 'stevengoodphoto.com/A/IN' denied
Sep 22 04:52:07 apogee named[32381]: client 84.14.138.206#37547: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
Sep 22 04:52:07 apogee named[32381]: client 84.14.138.206#33757: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
Sep 22 04:52:07 apogee named[32381]: client 84.14.138.206#29783: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
Sep 22 04:52:08 apogee named[32381]: client 84.14.138.206#44995: view external: query (cache) 'stEVeNgooDPHOto.CoM/A/IN' denied
Sep 22 04:52:08 apogee named[32381]: client 173.203.4.49#26700: view external: query (cache) 'charleslthomas.com/MX/IN' denied
Sep 22 04:52:09 apogee named[32381]: client 173.203.4.49#42211: view external: query (cache) 'charleslthomas.com/MX/IN' denied
Sep 22 04:52:09 apogee named[32381]: client 173.203.4.48#33108: view external: query (cache) 'charleslthomas.com/MX/IN' denied
Sep 22 04:52:09 apogee named[32381]: client 173.203.4.48#33796: view external: query (cache) 'charleslthomas.com/MX/IN' denied
Sep 22 04:52:09 apogee named[32381]: client 173.203.4.46#42156: view external: query (cache) 'charleslthomas.com/MX/IN' denied
Sep 22 04:52:09 apogee named[32381]: client 173.203.4.46#23844: view external: query (cache) 'charleslthomas.com/MX/IN' denied
Sep 22 04:52:10 apogee named[32381]: client 150.70.64.50#24021: view external: query (cache) 'servicemanagementart.ca/AAAA/IN' denied
Sep 22 04:52:11 apogee named[32381]: client 192.94.94.26#12494: view external: query (cache) 'homefarmland.com/MX/IN' denied
Sep 22 04:52:11 apogee named[32381]: client 199.21.99.69#5335: view external: query (cache) 'luxuryskinstore.com/A/IN' denied
Sep 22 04:52:13 apogee named[32381]: client 192.94.94.27#51031: view external: query (cache) 'homefarmland.com/MX/IN' denied
Sep 22 04:52:16 apogee named[32381]: client 192.94.94.26#56678: view external: query (cache) 'homefarmland.com/MX/IN' denied
Sep 22 04:52:16 apogee named[32381]: client 87.236.197.113#26156: view external: query (cache) 'homefarmland.com/A/IN' denied

I believe the attacker may be using our server as a reflection attack by hitting our DNS services this way. But in any case, this seems to be senselessly adding 4 to 8 to the load average of this server, 24 hours per day.

We've got all the standard security configs in named.conf but I have not switched off allow-recursion { trusted; }; yet, and recursion yes; is still (set to yes) further down the list. I have heard that when this is done it can interfere with some scripts, particularly those involved with cc APIs, and so on.

Currently I've got a shell script that runs every 20 seconds, tailing the last 30 log entries in /var/named/data/named.run it looks for log entries containg the word "denied" then blocks the IPs via /etc/csf/csf.pl -d . But the attacking IPs are seemingly endless. So this is doing next-to-no-good as far as I can tell.

Advice anyone?

Thanks very much!

 

[jols]

More detail for my named.conf settings:

In

view "external" {

Recursion is set to "no".

In

view "localhost_resolver" {

Recursion is set to "yes"

In

view "internal" {

Recursion is set to "yes"


So could these just be attempts that are essentially not sending responses out, and are truly being denied? If so, then how the heck can I prevent logging for this stuff?

 

[jols]

Okay, after spending a few hours with this, I have surmised that these "attacks" are not having any effect due to my settings in named.conf, so then I found out how to just block these log entries, from another post here:

http://forums.cpanel.net/f5/why-named-logging-query-cache-denied-var-log-messages-170302.html