BIND this easy to DOS? (nobody?)

John Little jlittle_97 at yahoo.com
Sat Jan 14 13:41:58 UTC 2006 

Mark..

--- Mark de Vries <markdv.bind at asphyx.net> wrote:

> 
> Haven't seen a single response?! Am I the only one (running large
> caching
> servers) that occasionally runs into this problem?
> 
> On Tue, 10 Jan 2006, Mark de Vries wrote:
> >
> > Hi,
> >
> > Tonight a customer started sending ~50 q/s for A? ssh.e-swiat.be.
> >
> > Both name servers for this domain where unreachable. From a dumpdb:
> >
> > e-swiat.be.             75323   NS      ns1-be.yi.org.
> >                         75323   NS      ns2-be.yi.org.
> > ns1-be.yi.org.          75324   A       80.21.186.219
> > ns2-be.yi.org.          75324   A       82.177.34.22
> >
> > This did not stop bind from sending queries to these servers almost
> as
> > often as it was queried by the customer. Resulting in "no more
> recursive
> > clients" and degraded performance (other customer's queries beeing
> > dropped.)
> >
> > I believe named caches 'lame servers'? Why does it not cache
> unreachable
> > servers?

It does. From DNS and Bind 4th Ed-Since 4.9 all Bind servers implement
negative caching..if an authoritative name server responds to a query
that says the domain name or datatype doesn't exist the name server
temporarily caches that information too.  

and further on:
Name servers can't cache data forever so the administrator must decide
on a TTL for the zone.  A small ttl creates lots of queries but ensures
consistency while a large ttl reduces queries but may not be as
consistent.

All of the above wa paraphrased from the book.

John



 After a few timeouts mark the host unreachable for a
> certain
> > amount of time and refrain from sending queries to it. If all
> servers for
> > a domain are marked unreachable return SERVFAIL to the client...
> >
> > Doesn't this make it real easy to kill bind? Just setup a (sub)
> domain
> > with some nameservers who's IPs are unreachable, start sending
> queries
> > for some name in that domain like mad and wait for the number of
> recursive
> > clients to fill up...
> >
> > btw, I have recursive-clients set to 12500. Is there any way to see
> how
> > close to this limit I'm getting at times? Would be nice if 'rncd
> status'
> > would spit out the current number of outstaning queries.
> >
> > Regards,
> > Mark
> >
> >
> >
> 
> -- 
> 
> What's a girl like you doing in a nice place like this?
> 
> 
> 


Happiness is understanding how things work.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the bind-users mailing list