Blocking DoS on Bind9 - BIND mitigating abuseware traffic

Fr34k freaknetboy at
Fri Sep 7 15:55:05 UTC 2007

Mark Andrews <Mark_Andrews at> wrote:    
> Hello List,
> What other tips/suggestions/options do we have to help deal with abuseware 
> traffic?
> I am aware of limiting recursive queries to authorized hosts via allow-quer
> y/allow-recursion, which is helpful in limiting exposure. However, consider a
> uthorized hosts.
> For example, spam sending zombie PCs making hundreds/thousands of MX querie
> s in minutes. Until such machines are innoculated, how can BIND be tweaked so
> such traffic does not compromise legitimate queries?
> Note that this is just an example and I am open to any suggestions.
> Thank you -- Chris

Put the machine in a walled garden. Give it is own resolver
to share with all the rest of the machines in the walled garden.
That way it is not causing your other customers problems and it
is not causing the rest of the world problems either.

Just about all ISP's have clauses in their AUPs against this sort
of thing. They really should be exercised.

  As I understand it, this would mean such an abusive machine was identified, then put into a walled garden and additional provisioning to do so would be required beyond BIND, correct?
  Great idea.
  What if we expand on this a bit.
  What suggestions/options do folks suggest to mitigate such taffic before putting such an abusive machine into a walled garden?
> Mark Andrews wrote:
> > The Doctor wrote:
> > > Just wondering what methods can be use to stop DoS attcks
> > > such as half-open connection overload on port 53 using named.conf ?
> > > 
> > Neither BIND nor any purely user-space app can really prevent "half-open 
> > connection overload"s (are you trying to describe SYN flooding?), since 
> > they don't even see the incoming connection until and unless it's fully 
> > established.
> > 
> > You'd need something with deeper hooks into the TCP/IP stack, or a 
> > separate device, in order to prevent those.
> > 
> > It should be noted that most normal DNS traffic uses UDP not TCP. Unless 
> > you're serving up a lot of huge RRsets that necessitate TCP retries, it 
> > should be fairly easy to set, within your Intrusion Prevention device or 
> > firewall, a reasonable threshold on SYN packets incoming to port 53. You 
> > might want to make exceptions, of course, for slaves that use the 
> > standard AXFR/IXFR-based method for replication of zone data, since that 
> > uses TCP as well (IXFR can use UDP, but will fail over to AXFR under 
> > certain circumstances, that's why I lump them together).
> > 
> > - Kevin
> Named will also, by default, use the "dataready" accept
> filter if it is available. There has also been some work
> done on a "dnsready" accept filter. The listen queue length
> is also controllable from named.conf (tcp-listen-queue).
> Mark
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at

More information about the bind-users mailing list