This shows IP addresses making repeated requests for the same FQDN over and over again (i.e. many times per minute).
There are two reasons to want to do this:
To cause a Denial of Service against the IP address shown in the Reverse DNS column (because the FROM address in a DNS query is easily spoofed)
To attempt to overload the DNS server by making repeated requests
In both cases WinBIND protects against this by automatically adding a DENY rule to the Windows Firewall within a few minutes of detection. WinBIND removes the offending client from the firewall rule after a certain period of time, so the Occurrences column shows the number of times this IP address found itself on the blacklist again.
IP Address
Occurrences
Reverse DNS
35.200.159.104
7
104.159.200.35.gc.googleusercontent.com
101.71.138.0
5
-
74.63.237.180
5
180-237-63-74.static.reverse.lstn.net
117.27.239.0
4
-
5.63.14.144
4
5-63-14-144.faraso.org
Bad Client Requests
This shows the most common requests made by each Bad Client (see above).
Count
Request type
Request
Likely Reason
6,049,360
ANY
census.gov
Results in a large amount of data being returned for a very small query
164,339
ANY
.
This is a query for the root name servers so again it results in a very large amount of data being returned in comparison to the query (a single dot)
7,515
ANY
sl
Results in a large amount of data being returned for a very small query
1,513
A
login.live.com
Results in a large amount of data being returned for a very small query
228
CH (chaos) / TXT
version.bind
Attempts to get the version of BIND running on the server so that it can be attacked with known exploits
145
ANY
vtk.be
This one was unexpected, I haven't seen it before. Again it results in a large amount of data being returned in comparison to the query
Requests
These are the top 10 genuine requests once the Bad Client Requests have been removed (see table above)