<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi</p>
<p>you might use in /etc/bind/named.conf.options e.g.<br>
</p>
<p>rate-limit { responses-per-second 10; nxdomains-per-second 2;
errors-per-second 5; }; </p>
<p>that is, with values below default as your bind is already rate
limiting as shown in the logs</p>
<p>You might also shorten the default window of observance which is
15 seconds, maybe too long for your link saturation problem.<br>
</p>
<p>For more options see
<a class="moz-txt-link-freetext"
href="https://bind9.readthedocs.io/en/v9.18.19/reference.html#namedconf-statement-rate-limit"
moz-do-not-send="true">https://bind9.readthedocs.io/en/v9.18.19/reference.html#namedconf-statement-rate-limit</a></p>
<p>Regards,</p>
<p>Carlos Horowicz<br>
Planisys<br>
</p>
<div class="moz-cite-prefix">On 02/11/2023 05:58, Mosharaf Hossain
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACyNhXJQ4ZQAwR1yUx56f+UrPAaWNCzypkn_dmjwLptibdgYGA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,sans-serif;font-size:small;color:#000000">Hello
Folks<br>
</div>
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,sans-serif;font-size:small"><font
color="#000000">I have come
across a challenge with our BIND
nameserver, specifically related
to a "</font><b style=""><font
color="#ff0000">DNS NXDOMAIN
flood</font></b><font
color="#000000">" problem.
Despite upgrading the BIND
version from 9.10 to 9.18, the
issue persists.</font><br>
<br>
<font color="#000000">The attack
originates from an external
network, and it periodically
saturates our entire internet
bandwidth. While we've
implemented various measures to
combat the attack, it continues
to be a significant problem,
rendering our DNS server
incapable of resolving queries
during these onslaughts.</font><br>
</div>
<div class="gmail_default"
style="font-family:arial,sans-serif;font-size:small;color:rgb(0,0,0)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,sans-serif;font-size:small;color:rgb(0,0,0)">Current
DNS server spec: </div>
<div class="gmail_default"
style="font-family:arial,sans-serif;font-size:small;color:rgb(0,0,0)">OS
Debian 12</div>
<div class="gmail_default"
style="font-family:arial,sans-serif;font-size:small;color:rgb(0,0,0)">BIND: BIND
9.18.19-1~deb12u1-Debian (Extended
Support Version) <id:></div>
<div class="gmail_default"
style="font-family:arial,sans-serif;font-size:small;color:rgb(0,0,0)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,sans-serif;font-size:small;color:rgb(0,0,0)"><b><u>DNS
NXDOMAIN flood Sample log</u>:<br>
</b></div>
<div class="gmail_default"
style="font-family:arial,sans-serif;font-size:small;color:rgb(0,0,0)">Nov
02 09:00:23 <a
href="http://ns1.bol-online.com"
moz-do-not-send="true">ns1.bol-online.com</a>
named[2202594]: client
@0x7fce7d2c1768 47.74.84.139#28827
(<a
href="http://bearnote.primebank.com.bd"
moz-do-not-send="true">bearnote.primebank.com.bd</a>):
rate limit drop NXDOMAIN response
to <a href="http://47.74.84.0/24"
moz-do-not-send="true">47.74.84.0/24</a>
for primebank.c><br>
Nov 02 09:00:23 <a
href="http://ns1.bol-online.com"
moz-do-not-send="true">ns1.bol-online.com</a>
named[2202594]: client
@0x7fce720cdd68
192.221.176.14#34882 (<a
href="http://2014-06-24.pRiMEBANK.cOM.BD"
moz-do-not-send="true">2014-06-24.pRiMEBANK.cOM.BD</a>):
rate limit drop NXDOMAIN response
to <a
href="http://192.221.176.0/24"
moz-do-not-send="true">192.221.176.0/24</a>
for prim><br>
Nov 02 09:00:23 <a
href="http://ns1.bol-online.com"
moz-do-not-send="true">ns1.bol-online.com</a>
named[2202594]: client
@0x7fce65cb9d68
74.125.187.132#53017 (<a
href="http://HUbBY.PRimEBaNK.cOm.bD"
moz-do-not-send="true">HUbBY.PRimEBaNK.cOm.bD</a>):
rate limit drop NXDOMAIN response
to <a
href="http://74.125.187.0/24"
moz-do-not-send="true">74.125.187.0/24</a>
for primebank.><br>
Nov 02 09:00:23 <a
href="http://ns1.bol-online.com"
moz-do-not-send="true">ns1.bol-online.com</a>
named[2202594]: client
@0x7fce90fdb768 172.217.47.5#65160
(<a
href="http://GEoVIsIOn.PrimeBAnk.COm.bD"
moz-do-not-send="true">GEoVIsIOn.PrimeBAnk.COm.bD</a>):
rate limit drop NXDOMAIN response
to <a
href="http://172.217.47.0/24"
moz-do-not-send="true">172.217.47.0/24</a>
for primeban><br>
Nov 02 09:00:23 <a
href="http://ns1.bol-online.com"
moz-do-not-send="true">ns1.bol-online.com</a>
named[2202594]: client
@0x7fce99901b68
77.59.227.211#61265 (<a
href="http://lanyware.primebank.com.bd"
moz-do-not-send="true">lanyware.primebank.com.bd</a>):
rate limit slip NXDOMAIN response
to <a
href="http://77.59.227.0/24"
moz-do-not-send="true">77.59.227.0/24</a>
for primebank><br>
Nov 02 09:00:23 <a
href="http://ns1.bol-online.com"
moz-do-not-send="true">ns1.bol-online.com</a>
named[2202594]: client
@0x7fce7ee5cd68 1.20.200.152#37953
(<a
href="http://debianmeetingresume200809-kansai.primebank.com.bd"
moz-do-not-send="true">debianmeetingresume200809-kansai.primebank.com.bd</a>):
rate limit slip NXDOMAIN response
to 1.20.><br>
Nov 02 09:00:23 <a
href="http://ns1.bol-online.com"
moz-do-not-send="true">ns1.bol-online.com</a>
named[2202594]: client
@0x7fce69846968
162.158.207.78#44948 (<a
href="http://stacking.primebank.com.bd"
moz-do-not-send="true">stacking.primebank.com.bd</a>):
rate limit drop NXDOMAIN response
to <a
href="http://162.158.207.0/24"
moz-do-not-send="true">162.158.207.0/24</a>
for primeb><br>
<br>
</div>
<br>
</div>
<div dir="ltr"><br>
</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Regards<br clear="all">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"
style="color:rgb(34,34,34)"><span style="font-size:10pt"><font
face="trebuchet
ms,
sans-serif"
color="#000000">Mosharaf
Hossain</font></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
</body>
</html>