I've been asked to take a look at a named DNS server that's being apparently DOSed. It shows indeed quite a lot of random requests from random (likely spoofed) IPs.
The queries look like this: rbzdywf.www.xtj123.com, all of them different and between 5 and 15 every second (at least for the time I was actively watching them).
The weird thing is: the ammount of traffic those requests generate is only enough to take the DNS down once every few days (on specific peak hours, I guess) so it doesn't make much sense as neither a random or targeted attack.
Needless to say, the DNS setup is a bit on the crappy side, configured long ago by someone no longer working there and whose configurations are maintained as they are mostly because no one is really sure about what could break if they were changed it'll be nuked from orbit and rebuilt sometime soon, but in the meanwhile they need to keep it up and running.
First thing I did was disabling recusion (god knows why it wasn't disabled, as it's an authoritative server) and global allow-transfer (which is individually enabled as "any" for several zones, again god knows why).
Tests show that non authoritative queries now return a "rejected" status. Should that be enough to keep this crap running at the very least?
And why the hell would anyone maintain such a weak sustained attack against a DNS server? Both IPs and queried addresses are completely random, so it doesn't seem to be part of an attack against other target, and as I said before the traffic isn't high enough to consistently bring the service down (which anyone motivated enough could have easily done, given the utter misconfiguration of named).