Potential DNS DDoS (query (cache) ‘./NS/IN’ denied)

I started getting a ton of these in my DNS logs a few days ago:

Jan 19 05:33:47 comp named[4488]: client 76.9.31.42#55056: query (cache) './NS/IN' denied Jan 19 05:33:53 comp named[4488]: client 76.9.31.42#30931: query (cache) './NS/IN' denied Jan 19 05:33:59 comp named[4488]: client 76.9.31.42#31789: query (cache) './NS/IN' denied Jan 19 05:34:06 comp named[4488]: client 76.9.31.42#38458: query (cache) './NS/IN' denied Jan 19 05:34:12 comp named[4488]: client 76.9.31.42#31734: query (cache) './NS/IN' denied Jan 19 05:34:18 comp named[4488]: client 76.9.31.42#52640: query (cache) './NS/IN' denied Jan 19 05:34:24 comp named[4488]: client 76.9.31.42#12441: query (cache) './NS/IN' denied Jan 19 05:34:30 comp named[4488]: client 76.9.31.42#20453: query (cache) './NS/IN' denied

I started getting a ton of these in my DNS logs a few days ago:

Doing some research on the IPs, I’ve been seeing some talk about a potential DDoS attack in progress. Basically it’s flooding the spoofed source with replies. To counter this, I thought I would create a rule in fail2ban to block if there are 50 of these in a short span. This effectively is working, but I’m wondering if should just block the problem sources until the storm has passed. Currently, these are the IPs I’m seeing

69.50.142.110 76.9.16.171 76.9.31.42 69.50.142.11 66.230.160.1 66.230.128.15

There are few mentions of this on the web. Dshield seems to be the most active so far:
http://www.dshield.org/indexd.html

There is also a only tool at isc.sans.org where you can verify if your DNS server responds to “.” queries with a full list of root name servers. The link is here:
http://isc1.sans.org/dnstest.html

As you can also see, I commented below with a fail2ban rule to identify and block these.. if they’re being denied.