BIND this easy to DOS? (nobody?)

paul at vix.com paul at vix.com
Sun Jan 15 21:36:49 UTC 2006


(moving this from -users to -workers)

i think this may be the wrong approach.  if no servers for a zone are
reachable, then the zone isn't reachable.  using a larger RTT estimate
to record this condition means two bad things-- (1) large delays for
our clients and therefore greater client quota usage, and (2) more state
held by us to rediscover what we already know.

i think that if a server has been timing out consistently, we can stop
asking it anything at all for a period of minutes or even hours, and
that if all servers for a zone are in that condition, we can instantly
answer SERVFAIL.

re:

# From: Mark Andrews <Mark_Andrews at isc.org>
# Newsgroups: comp.protocols.dns.bind
# Subject: Re: BIND this easy to DOS? (nobody?)
# Date: Sun, 15 Jan 2006 11:19:35 +1100
# Organization: none
# Sender: news at isc.org
# X-Original-Message-ID: <200601150019.k0F0JZxW053239 at drugs.dv.isc.org>
# X-Cc: comp-protocols-dns-bind at isc.org
# 
# > In article <dqavbp$2n85$1 at sf1.isc.org>,
# >  John Little <jlittle_97 at yahoo.com> wrote:
# > 
# > > > > I believe named caches 'lame servers'? Why does it not cache
# > > > > unreachable servers?
# > > 
# > > It does. From DNS and Bind 4th Ed-Since 4.9 all Bind servers implement
# > > negative caching..if an authoritative name server responds to a query
# > > that says the domain name or datatype doesn't exist the name server
# > > temporarily caches that information too.
# > > 
# > > and further on:
# > > 
# > > Name servers can't cache data forever so the administrator must decide
# > > on a TTL for the zone.  A small ttl creates lots of queries but ensures
# > > consistency while a large ttl reduces queries but may not be as
# > > consistent.
# > > 
# > > All of the above wa paraphrased from the book.
# > 
# > Neither of those paragraphs addresses the problem the OP wrote about.
# > He's not getting *any* response from the nameservers, so there's no
# > negative response to cache.
# > 
# > I believe he's absolutely correct.  BIND doesn't cache the fact that a
# > particular server is non-responsive, so that it shouldn't bother trying to
# > query it at all.
# 
# 	Actually it adjusts the RTT estimate (modulo bugs).  It also collapses
# 	all the external queries into one query internally.  It should get
# 	down to about 1 external query every 10 seconds for the
# 	<qname,qtype,qclass> tuple independent of the query load when talking
# 	to non-responsive servers.
# 
# 	BIND 9.4.0 also as a dynamic per <qname,qtype,qclass> client limits in
# 	addition to the overall recursive clients limit.
# 
# 	Depending upon the version of named he is running at 500 q/s * 90
# 	(current 30) seconds (after which named gives up) he needs recurive
# 	clients depths of 45000 (current 15000).
# 
# 	Mark
# 
# > -- 
# > Barry Margolin, barmar at alum.mit.edu
# > Arlington, MA
# > *** PLEASE post questions in newsgroups, not directly to me ***
# > *** PLEASE don't copy me on replies, I'll read them in the group ***
# --
# Mark Andrews, ISC
# 1 Seymour St., Dundas Valley, NSW 2117, Australia
# PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-workers mailing list