BIND9 negative cache after timeout.

Ladislav Vobr lvobr at ies.etisalat.ae
Tue Aug 5 04:31:04 UTC 2003


I think it's a valid point to consider caching timeouts, since it can
definitely help in many cases be it DoS or misconfiguration or server
unreachable situations, what is the impact on the code, and normal
operations I can not say... Preventions is only one part of the
security, we should have some way on the nameserver level too.

Ladislav


Jan Gyselinck wrote:

>On Thu, Jul 03, 2003 at 09:47:21AM +1000, Mark_Andrews at isc.org wrote:
>  
>
>>>I won't give an answer there because I have another related question:
>>>
>>>Yes sometimes my DNS server receives queries for a A record which I am not
>>>authoritative for...  So as the query is recursive (and I allow recursion)
>>>I'm eventually talking to the authoritative server for that domain name...
>>>But that server times out...
>>>
>>>The question is: will my DNS server 'negatively cache' this hostname ?  or
>>>will it try to do the recursive job all over again ?
>>>
>>>If the last assumptions is the right one then this can be an easy way to do
>>>Denial-of-service:
>>>
>>>as a hac|<er:
>>>* you register bad-domain.com and delegate it to a server and
>>>* you make sure any query times out...
>>>* you flood the victim with such recursive queries...
>>>* As it takes quite a while to resolve, you will easily and rapidly fill up
>>>the "recursive client" quota... and here we go !
>>>      
>>>
>>	And it is also a easy one to prevent.  Don't have a wide
>>	open caching server.  Apply anti-spoofing filters at the
>>	IP level.
>>    
>>
>
>It helps somewhat, but that's not preventing the problem.
>You don't need a wide open resolver to get this.  Enough
>customers that use the resolver are enough to hit this often
>enough too.
> 	
>  
>
>>	Given the failure modes of nameservers you can't just say
>>	because a nameserver failed to repond to a particular query
>>	that it will also fail to respond to another query.  There
>>	are an effectively infinite number of ways to generate new
>>	queries that would defeat any negative cache you might have.
>>    
>>
>
>No, you can't say that.  But what you can say is that broken
>nameservers or lost connectivity shouldn't bring your nameserver
>to a crawl.  And now that happens.  Not sure what a good solution
>is, but there are lots of stubresolvers out there that keep
>querying for the same name if it doesn't resolve (ServFail and
>friends).  Surely some caching (even if it's only 10 to
>30 seconds) would help here.  
> 
>  
>
>>	I'm pretty sure I could find enough addresses alone that
>>	won't respond to DNS queries to generate 1000 q/s to new
>>	nameservers with unique IP addresses and not have to reuse
>>	a address for weeks.
>>    
>>
>
>Exactly, and I want to see the nameserver hw that can handle this
>(specially with bind9 :/).  Says enough ...
>
>
>Jan Gyselinck
>
>  
>





More information about the bind-users mailing list