Hehehe, that address is coming from Russia so you can pretty much assume
it's badness.
If you don't want to wait for your firewall team for future events like
this, you can always blacklist them too.

blackhole { address_match_list };

On Wed, Jul 30, 2008 at 8:55 AM, Terpasaur wrote:

> Good morning.
>
> I upgraded our last resolver this morning to the new P1 code and
> turned on "rndc querylog". I am seeing a steady stream of these
> messages with the same IP at a rate of about 100/min.
>
> Jul 30 11:50:39 ns2 named[2780]: [ID 873579 daemon.info] security:
> info: client 194.85.88.199#22941: query (cache) './ANY/IN' denied
>
> Is this an example of the cache exploit attempt?
>
> I've already spoken with our INET team about blocking the IP at the
> firewall a couple of days to see if the automated mechanism stops
> because of denied access, or if it continues regardless.
>
> Thanks,
>
> Emery Rudolph
> Sr. Systems Analyst
> Office of Information Technology
> University of Maryland University College
> Email: Erudolph@umuc.edu
>
>
>
>