Vista machines DOSing our bind servers
Fr34k
freaknetboy at yahoo.com
Tue Nov 27 19:13:38 UTC 2007
Hello,
I have been seeing a lot of identical bogus queries from the same clients.
Looks like we are seeing that isatap traffic, too:
# snoop -r port 53 | grep isatap
DNS C isatap.Belkin. Internet Addr ?
DNS C isatap.Belkin. Internet Addr ?
DNS C isatap.Belkin. Internet Addr ?
DNS C isatap.Belkin. Internet Addr ?
DNS C isatap.WorkGroup. Internet Addr ?
DNS C isatap.WorkGroup. Internet Addr ?
DNS C isatap.a.domain.suffix.com. Internet Addr ?
DNS C isatap. Internet Addr ?
^C
Interesting.
It seems that tuning a few "clients-per-query" options helps to mitigate the flood of idential queries.
For example,
clients-per-query 10 ; (default is 10)
max-clients-per-query 50 ; (default is 100)
See the Bv9ARM.pdf at isc.org for more about these options and what may work best for you.
Hope this helps -- Chris
----- Original Message ----
From: Kirsten Petersen <kirsten.petersen at oregonstate.edu>
To: bind-users at isc.org
Sent: Tuesday, November 27, 2007 1:00:00 PM
Subject: Vista machines DOSing our bind servers
Has anyone else seen this issue where Vista machines slam the name servers
with repeated requests for the same lookup? Yesterday, both of our name
servers were taken out of commission by a pair of Vista workstations on
our network that were each pushing almost 10Mb in DNS requests. A tcpdump
at the time showed that they were asking repeatedly for the same AAAA
record.
This has happened about 4 times to us in the past 3 weeks. Each time,
the machines were asking for different domain names, totally unrelated.
So, I don't believe there is anything special about the record itself.
The machines have been scanned for viruses and malware, of course, and
came up clean. The owners of the machines were not even present when the
incident occurred.
I have read through this thread on Educause:
http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind07&L=netman&D=0&T=0&P=27697
More information about the bind-users
mailing list