BIND this easy to DOS? (nobody?)

Mark Andrews Mark_Andrews at isc.org
Sun Jan 15 23:00:11 UTC 2006 

> (moving this from -users to -workers)
> 
> i think this may be the wrong approach.  if no servers for a zone are
> reachable, then the zone isn't reachable.  using a larger RTT estimate
> to record this condition means two bad things-- (1) large delays for
> our clients and therefore greater client quota usage, and (2) more state
> held by us to rediscover what we already know.
> 
> i think that if a server has been timing out consistently, we can stop
> asking it anything at all for a period of minutes or even hours, and
> that if all servers for a zone are in that condition, we can instantly
> answer SERVFAIL.

	How long are you willing to wait for external DNS to start
	working after the broken link connecting you to the rest to
	the world comes up?
 
> re:
> 
> # From: Mark Andrews <Mark_Andrews at isc.org>
> # Newsgroups: comp.protocols.dns.bind
> # Subject: Re: BIND this easy to DOS? (nobody?)
> # Date: Sun, 15 Jan 2006 11:19:35 +1100
> # Organization: none
> # Sender: news at isc.org
> # X-Original-Message-ID: <200601150019.k0F0JZxW053239 at drugs.dv.isc.org>
> # X-Cc: comp-protocols-dns-bind at isc.org
> # 
> # > In article <dqavbp$2n85$1 at sf1.isc.org>,
> # >  John Little <jlittle_97 at yahoo.com> wrote:
> # > 
> # > > > > I believe named caches 'lame servers'? Why does it not cache
> # > > > > unreachable servers?
> # > > 
> # > > It does. From DNS and Bind 4th Ed-Since 4.9 all Bind servers implement
> # > > negative caching..if an authoritative name server responds to a query
> # > > that says the domain name or datatype doesn't exist the name server
> # > > temporarily caches that information too.
> # > > 
> # > > and further on:
> # > > 
> # > > Name servers can't cache data forever so the administrator must decide
> # > > on a TTL for the zone.  A small ttl creates lots of queries but ensures
> # > > consistency while a large ttl reduces queries but may not be as
> # > > consistent.
> # > > 
> # > > All of the above wa paraphrased from the book.
> # > 
> # > Neither of those paragraphs addresses the problem the OP wrote about.
> # > He's not getting *any* response from the nameservers, so there's no
> # > negative response to cache.
> # > 
> # > I believe he's absolutely correct.  BIND doesn't cache the fact that a
> # > particular server is non-responsive, so that it shouldn't bother trying t
> o
> # > query it at all.
> # 
> # 	Actually it adjusts the RTT estimate (modulo bugs).  It also collapses
> # 	all the external queries into one query internally.  It should get
> # 	down to about 1 external query every 10 seconds for the
> # 	<qname,qtype,qclass> tuple independent of the query load when talking
> # 	to non-responsive servers.
> # 
> # 	BIND 9.4.0 also as a dynamic per <qname,qtype,qclass> client limits in
> # 	addition to the overall recursive clients limit.
> # 
> # 	Depending upon the version of named he is running at 500 q/s * 90
> # 	(current 30) seconds (after which named gives up) he needs recurive
> # 	clients depths of 45000 (current 15000).
> # 
> # 	Mark
> # 
> # > -- 
> # > Barry Margolin, barmar at alum.mit.edu
> # > Arlington, MA
> # > *** PLEASE post questions in newsgroups, not directly to me ***
> # > *** PLEASE don't copy me on replies, I'll read them in the group ***
> # --
> # Mark Andrews, ISC
> # 1 Seymour St., Dundas Valley, NSW 2117, Australia
> # PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-workers mailing list