awyeah: this log entry doesn't look like a ddos attack on you. someone is sending you a query (which is small), hoping that your dns server is sending back a reply to the (probably spoofed, to point to the victim) source address. but your server is denying the request, so there's no amplification awyeah: i also get those queries a lot (and also for other domains). have you considered implementing response rate limiting, so you don't reply to every request? awyeah: (not saying that you aren't actually ddos'd, but that doesn't look like it's part of the ddos) ant: I am getting thousands of them per minute And that particular domain has a large zone associated with it. But anyway, it's denying the requests anyway, since I'm not running a recursive server. So maybe at some point they'll get the message ;)