<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Dmitry,<br>
<br>
We observed that similar requests are landing on our cache
resolver mostly from various home routers running dns server as
open resolver and that also masquerades the original request
source. <br>
We have a collection of ~60 domains involved and most of them are
related to China. The problem is that attacker selects few domains
and generates queries with random hostnames which therefore are
not in the cache and server has to perform recursion for each
query. So each query will consume one udp or tcp socket for at
least 10 seconds because remote DNS server is responding slowly or
is down and based on a query volume it can effectively overload
the cache server. <br>
<br>
Initially we thought we could fix it with "
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
resolver-query-timeout", but after bind code analysis it seems
that everything less that 10 seconds would be ignored, it would be
great to mention this in the documentation. <br>
So one solution is to change MINIMUM_QUERY_TIMEOUT in resolver.c
and recompile named, but it would be nice to understand why 10
seconds as minimum value were selected in the first place, see
/lib/dns/resolver.c<br>
<br>
#define MAX_SINGLE_QUERY_TIMEOUT 9U<br>
#define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U) <br>
<br>
....snip....<br>
<br>
void<br>
dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int
seconds) {<br>
REQUIRE(VALID_RESOLVER(resolver));<br>
if (seconds == 0)<br>
seconds = DEFAULT_QUERY_TIMEOUT;<br>
if (seconds > MAXIMUM_QUERY_TIMEOUT)<br>
seconds = MAXIMUM_QUERY_TIMEOUT;<br>
if (seconds < MINIMUM_QUERY_TIMEOUT)<br>
seconds = MINIMUM_QUERY_TIMEOUT;<br>
resolver->query_timeout = seconds;<br>
}<br>
<br>
We also tried to create local dummy zones for all these domains
but since domains change frequently we started to block most
active open resolvers and coordinate with local CERT.<br>
<br>
It would be nice to have some kind of rate limits for query volume
of different hosts inside a single zone.<br>
<br>
Best regards,<br>
<br>
Ivo<br>
<br>
<br>
On 2/27/14 7:59 AM, Dmitry Rybin wrote:<br>
</div>
<blockquote cite="mid:530ED45B.4060600@corbina.net" type="cite">Over
2 weeks ago begins flood. A lot of queries:
<br>
<br>
niqcs.www.84822258.com
<br>
vbhea.www.84822258.com
<br>
abpqeftuijklm.www.84822258.com
<br>
adcbefmzidmx.www.84822258.com
<br>
and many others.
<br>
<br>
Bind answers with "Server failure". On high load (4 qps) all
normal client can get Servfail on good query. Or query can execute
more 2-3 second.
<br>
<br>
Recursion clients via "rnds status" 300-500.
<br>
<br>
I can try to use rate limit:
<br>
rate-limit {
<br>
nxdomains-per-second 10;
<br>
errors-per-second 10;
<br>
nodata-per-second 10;
<br>
};
<br>
I do not see an any improvement.
<br>
<br>
Found one exit in this situation, add flood zones local.
<br>
<br>
What can we do in this situation?
<br>
_______________________________________________
<br>
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to
unsubscribe from this list
<br>
<br>
bind-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
<br>
</blockquote>
<br>
<br>
</body>
</html>