Sudden increase in DNS queries

suricata 7.0.2
opensuse tumbleweed
linux v5.14.21

Since about 28-Oct-2023 there has been a sudden increase in the amount of log entries (see below) added to the EVE log. Typically it would be about 35 MB per day. Today xz failed to compress the file because it was 12 GB.

I do not understand why there is such a sudden increase in logging.

Any ideas of how to detect and drop these spurious requests?

{"timestamp":"2023-10-30T10:14:40.639614-0700","flow_id":210536768715626,"event_type":"dns","src_ip":"189.127.26.151","src_port":26324,"dest_ip":"192.168.69.246","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"version":2,"type":"answer","id":128,"flags":"83a0","qr":true,"tc":true,"rd":true,"ra":true,"opcode":0,"rrname":"cisco.com","rrtype":"TXT","rcode":"NOERROR"}}
{"timestamp":"2023-10-30T10:14:40.639888-0700","flow_id":215023921138469,"event_type":"dns","src_ip":"189.127.26.168","src_port":24115,"dest_ip":"192.168.69.246","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":53414,"rrname":"atlassian.com","rrtype":"TXT","tx_id":0,"opcode":0}}
{"timestamp":"2023-10-30T10:14:40.640059-0700","flow_id":215759980630953,"event_type":"dns","src_ip":"189.127.27.227","src_port":42421,"dest_ip":"192.168.69.246","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":1017,"rrname":"atlassian.com","rrtype":"TXT","tx_id":0,"opcode":0}}
{"timestamp":"2023-10-30T10:14:40.640220-0700","flow_id":216450167157858,"event_type":"dns","src_ip":"189.127.27.112","src_port":21234,"dest_ip":"192.168.69.246","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":53316,"rrname":"cisco.com","rrtype":"TXT","tx_id":0,"opcode":0}}
{"timestamp":"2023-10-30T10:14:40.640384-0700","flow_id":217153725386661,"event_type":"dns","src_ip":"189.127.27.74","src_port":24390,"dest_ip":"192.168.69.246","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":18292,"rrname":"apple.com","rrtype":"TXT","tx_id":0,"opcode":0}}

I have adjusted BIND named to limit ALL responses to at most 20 per second. It has reduced the load on the DNS server. The logs are still filling extremely.

Some of the IPs originate in Brazil (.br). Others have no resolution.

I attempted to use fail2ban to block the offensive IPs; it did not go well: over 20,000 IPs blocked in one hour. It would have overwhelmed my server quickly. Our DNS server is meant for local resolution, and the occasional public resolution for one IP.

Here is a typical excerpt from the named rate-limit log.

30-Oct-2023 17:39:42.876 rate-limit: info: client @0x7f68680013a0 200.36.217.77#36757 (atlassian.com): rate limit drop all response to 200.36.217.0/24
30-Oct-2023 17:39:42.876 rate-limit: info: client @0x7f68600222a0 200.36.216.182#48049 (apple.com): rate limit drop all response to 200.36.216.0/24
30-Oct-2023 17:39:42.876 rate-limit: info: client @0x7f68680013a0 200.36.219.178#32897 (apple.com): rate limit drop all response to 200.36.219.0/24
30-Oct-2023 17:39:42.888 rate-limit: info: client @0x7f68600222a0 200.36.218.254#18806 (cisco.com): rate limit drop all response to 200.36.218.0/24
30-Oct-2023 17:39:42.888 rate-limit: info: client @0x7f686c0013a0 200.36.218.145#46533 (apple.com): rate limit drop all response to 200.36.218.0/24
30-Oct-2023 17:39:42.896 rate-limit: info: client @0x7f68600222a0 200.36.218.72#34394 (cisco.com): rate limit drop all response to 200.36.218.0/24
30-Oct-2023 17:39:42.896 rate-limit: info: client @0x7f68600222a0 200.36.217.122#38932 (cisco.com): rate limit drop all response to 200.36.217.0/24
30-Oct-2023 17:39:42.896 rate-limit: info: client @0x7f6871ea5dc0 200.36.217.43#25264 (cisco.com): rate limit drop all response to 200.36.217.0/24
30-Oct-2023 17:39:42.928 rate-limit: info: client @0x7f6871ea5dc0 200.36.219.213#24439 (cisco.com): rate limit drop all response to 200.36.219.0/24

Any recommendations about how to create a rule to detect the unwanted DNS queries?

How would you define “unwanted” DNS queries? You could look into the 8.15. DNS Keywords — Suricata 8.0.0-dev documentation DNS keyword.