Bind vs flood

Peter Andreev andreev.peter at gmail.com
Thu Feb 27 07:51:25 UTC 2014


Hi Dmitry,

If your problem is a lot of strange queries, then there is two ways:

1. You operate an open resolver. If you can - restrict it to a limited
scope of clients, otherwise the only way you can lower number of incoming
queries is DPI;
2. You operate a non-open resolver. Then you can find who sending these
queries and ask them to stop.




2014-02-27 9:59 GMT+04:00 Dmitry Rybin <kirgudu at corbina.net>:

> Over 2 weeks ago begins flood. A lot of queries:
>
> niqcs.www.84822258.com
> vbhea.www.84822258.com
> abpqeftuijklm.www.84822258.com
> adcbefmzidmx.www.84822258.com
> and many others.
>
> Bind answers with "Server failure". On high load (4 qps) all normal client
> can get Servfail on good query. Or query can execute more 2-3 second.
>
> Recursion clients via "rnds status" 300-500.
>
> I can try to use rate limit:
>         rate-limit {
>                 nxdomains-per-second 10;
>                 errors-per-second 10;
>                 nodata-per-second 10;
>         };
> I do not see an any improvement.
>
> Found one exit in this situation, add flood zones local.
>
> What can we do in this situation?
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
Is there any problem Exterminatus cannot solve? I have not found one yet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140227/2dbedb1c/attachment.html>


More information about the bind-users mailing list