Hello there,
I have not logged into my pi-hole web interface for the last 24 hours, but when I just looked I was suprised to see 90 random clients connected and more than 300,000 queries! There's normally around 20 clients connected with around 40-50k total queries in a day.
All of the random clients connected to my pi-hole because I (stupidly) forgot to unforward port 53 after I was finished testing something.
The clients seem to be spamming requests to the same website - 5hz.org which is apparently an 'AAA' record according to the interface.
I have now got rid of my port forwarding rule for DNS so the clients can't connect anymore. Does anyone know what the website is for and what the purpose of this attack is? Some of the clients have the hostname of an Amazon EC2 Instance of some of them report other hostnames. Most of them say 'unknown' though.
In a 4 minute period from 5:30 - 5:34am this morning they spammed over 43,000 DNS queries! It dosen't look like they are spamming all the time, as there are only 4 massive peaks in the pi-hole graph.
Many Thanks.