Random DNS queries from Cloudflare IPs to my DNS server

I currently run a self-hosted AdGuard server and I’ve noticed a series of random and spammy DNS requests coming from CF IPs in my logs:

I’ve never visited bodybuilding.com. All 716483 requests logged for this domain are from CF IPs:

<image attached below because apparently I can’t include more than 1 image in a first-time post>

I’ve seen this happen before with other domains, but I can’t remember which ones specifically.

As I type this out, I realise that the requests happen over plain DNS which could mean that this is an attempt at a reflected DDoS. Is this likely to be the case or is there some other reason for these random requests?

Aforementioned below-attached image:

Welcome to the Cloudflare Community.

I don’t have an answer for why you are seeing this traffic. I am curious as to why your DNS resolver accepts queries from anywhere other than your own trusted networks.

Because I use this DNS resolver for blocking ads and DoH/DoT on various devices, some of which are mobile and hence, don’t have fixed IP addresses. Configuring each client to have a unique client ID takes a lot of time and sometimes is not possible as far as I’m aware (Android).

Eventually I intend to connect all my devices to an always-on VPN, but that is still work-in-progress.

In the meantime, the resolver is open which I don’t think to be inherently a major issue given that many open resolvers exist. Granted, most of them are operated by organisations with the resources to secure them properly.

If indeed this is an attempt at a reflected DDoS (a lousy one though given that the attacker seems to be targeting multiple servers at the same time and is bouncing off the ratelimiter), I think I will just close UDP port 53 for the time being since I only use DoH/DoT anyway and all of those are secure against amplification DDoS attacks.


That sounds like a good next step.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.