Question Regarding DNS Logs - DDoS attack?

[DamonX]

Hi,

I am working on a project where we are analyzing DNS logs for potential attacks.  I know its DDoS attack but I want to go a little deep to get more insight of whats going on. 

Can someone please give me more insight on who is attacking and who's the target here for these couple logs:

24-Jan-2012 00:05:37.427 security: info: client 202.108.12.146#48073: query (cache) './NS/IN' denied

I know IP address (202.108.12.146) is coming from China, and its requesting root server, but who is the target here.  Its also a DDoS attack but who are they targeting.?

24-Jan-2012 07:22:56.921 security: info: client 66.103.64.10#2816: query (cache) './A/IN' denied

Looks same as above but IP address is from L.A and now its ./A/IN.  Same question, who is the target and whats going on.

This one is interesting:

24-Jan-2012 16:58:10.237 security: info: client 166.205.218.203#36710: query (cache) 'www.facebook.com/A/IN' denied

Does that mean Facebook is being attack and our DNS server is being used as botnet?  I know its denying query becoz recursion is off but still are they targeting FB here?

I will really appreciate if anyone can provide me more info on there three lines.

Thanks

Damon

[Mordred]

A quick Google search of the root Name Server query showed as one of the top results this: http://blog.tomh.us/post/72857274/blocking-recursive-root-dns-queries-with-iptables

This guy had exactly the same problem back in '09 and also shows you how to fix it.

[DamonX]

I understand that its a DDoS attack but I was wondering if someone can analyze it and provide me more details.