Domain non-existent / flooding attack
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Fri Aug 13 03:01:15 UTC 1999
> Thanks to all who answered my question. I really appreciate it.
>
> But Mark, I find it hard to believe that luck has something to do with it.
> After all, the reasoning is that if I had not increased the gov.sg zone s/no
> then none of the other DNSes would have reason to do another zone transfer.
>
> Unless you are saying that previously I updated the gov.sg zone and also
> some time later I updated the sgnews zone s./no but all the other ISPs
> picked it up and except for pridns.ncs.com.sg which was slow in doing so ?
> Then when it did pick it up, the sgnews was already added ? I certainly hope
> that this is the reason....
When I checked all but for pridns.gov.sg and secdns.gov.sg
were returning NXDOMAIN (from memory the gov.sg serial #
was 199908020?, all the servers had the same serial).
This is consistant with configuring the servers for sgnews.gov.sg
but not updating the parent.
sg. 1d8h4m10s IN NS AUTH02.NS.UU.NET.
sg. 1d8h4m10s IN NS DNSSEC1.SINGNET.COM.sg.
sg. 1d8h4m10s IN NS DS.NIC.NET.sg.
sg. 1d8h4m10s IN NS NS.RIPE.NET.
sg. 1d8h4m10s IN NS NS1.PACIFIC.NET.sg.
gov.sg. 1h3m26s IN NS ns1.pacific.net.sg.
gov.sg. 1h3m26s IN NS ns2.pacific.net.sg.
gov.sg. 1h3m26s IN NS dnssec1.singnet.com.sg.
gov.sg. 1h3m26s IN NS dnssec2.singnet.com.sg.
gov.sg. 1h3m26s IN NS secdns.cyberway.com.sg.
gov.sg. 1h3m26s IN NS ds.nic.net.sg.
gov.sg. 1h3m26s IN NS pridns.gov.sg.
gov.sg. 1h3m26s IN NS secdns.gov.sg.
sgnews.gov.sg. 6H IN NS secdns.gov.sg.
sgnews.gov.sg. 6H IN NS pridns.gov.sg.
Luck has to do with which of the sg and gov.sg servers were
picked when you try to lookup sgnews.gov.sg. You has a
85% chance of getting a NXDOMAIN if the server had not
history of the RTTs.
For a sg site which hadn't looked up a gov.sg domain the
probability approaches 1 that you would get a NXDOMAIN as
the RTT times would select dnssec1.singnet.com.sg and
ns1.pacific.net.sg. For sites which had looked up a gov.sg
domain in the past there was a 75% chance of getting a
NXDOMAIN.
>
> BTW, Mark I understand that there has been concern over a flooding attack on
> DNS servers via udp port 53. Is there a fix yet for this ?
There is a configuration advisary being prepared. The only real
fix is for ISP's to police their customers and block packets with
source addresses that don't belong to the customer. Good ISP's
already do this to prevent other spoof source address based
attacks .
>
> thanks for your help.
Mark
>
>
> >From: marka at isc.org
> >To: "John Tan" <d_name at hotmail.com>
> >CC: bind-users at isc.org, phil46 at pacific.net.sg
> >Subject: Re: Domain non-existent
> >Date: Fri, 13 Aug 1999 07:32:44 +1000
> >
> > > Thanks again Mark. Your very helpful. But one question though :
> > > If that were the case, then why is pridns.ncs.com.sg able to
> >successfully
> > > query my DNS for the info while the others were not ?
> >
> > Luck. There are 8 servers for gov.sg, 2 of which known the zone
> > exists. Once you learn about the zone you have to wait for the
> > NS records to expire before you have to look it up again.
> >
> > Mark
> > >
> > >
> > > >From: marka at isc.org
> > > >To: "John Tan" <d_name at hotmail.com>
> > > >CC: bind-users at isc.org, phil46 at pacific.net.sg
> > > >Subject: Re: Domain non-existent
> > > >Date: Thu, 12 Aug 1999 22:42:38 +1000
> > > >
> > > > The problem is that the parent domain (gov.sg) has not been
> > > > updated. While both pridns.gov.sg and secdns.gov.sg know about
> > > > sgnews.gov.sg as they are also servers for sgnews.gov.sg the
> > > > rest of the servers for gov.sg do not and hence the NXDOMAINs.
> > > >
> > > > The zone gov.sg zone needs to be updated and pushed to the
> > > > secondaries.
> > > >
> > > > Mark
> > > > >
> > > > > Hi all
> > > > >
> > > > > I have a problem. From the dns server pridns.gov.sg, I am able to
> >query
> > > > > sgnews.gov.sg domain. from pridns.ncs.com.sg it is also ok.
> > > > > but from other dns servers eg. pridns.cyberway.com.sg it does not
> >work.
> > > >The
> > > > > ttl is 6 hours and I have already incremented the serial no.
> > > > > and it is long after 6 hours. Am I paranoid or should I wait longer
> >?
> > > > > Previosuly I had already incremented the s/no but just did it again
> > > >today..
> > > > > MY DNS logs show no errors on both primary and sec.
> > > > >
> > > > > below is the output :
> > > > >
> > > > > >sgnews.gov.sg.
> > > > > Server: pridns.cyberway.com.sg
> > > > > Address: 203.116.1.78
> > > > >
> > > > > *** pridns.cyberway.com.sg can't find sgnews.gov.sg.:Non-existent
> > > > > host/domain
> > > > > >server pridns.ncs.com.sg.
> > > > > Default Server: pridns.ncs.com.sg
> > > > > Address: 203.116.16.16
> > > > >
> > > > > >sgnews.gov.sg.
> > > > > Server: pridns.ncs.com.sg
> > > > > Address: 203.116.16.16
> > > > >
> > > > > Non-authoritative answer:
> > > > > sgnews.gov.sg
> > > > > origin = pridns.gov.sg
> > > > > mail address = root.pridns.gov.sg
> > > > > serial = 1999081201
> > > > > refresh = 14400 (4H)
> > > > > retry = 7200 (2H)
> > > > > expire = 604800 (1W)
> > > > > minimum ttl = 21600 (6H)
> > > > > sgnews.gov.sg nameserver = pridns.gov.sg
> > > > > sgnews.gov.sg nameserver = secdns.gov.sg
> > > > > sgnews.gov.sg preference = 10, mail exchanger = hydra.gov.sg
> > > > > sgnews.gov.sg preference = 20, mail exchanger =
> >medusa.internet.gov.sg
> > > > >
> > > > > Authoritative answers can be found from:
> > > > > sgnews.gov.sg nameserver = pridns.gov.sg
> > > > > sgnews.gov.sg nameserver = secdns.gov.sg
> > > > > pridns.gov.sg internet address = 160.96.179.4
> > > > > secdns.gov.sg internet address = 160.96.128.4
> > > > > hydra.gov.sg internet address = 160.96.179.6
> > > > > medusa.internet.gov.sg internet address = 160.96.179.7
> > > > > >
> > > > >
> > > > >
> > > > > ______________________________________________________
> > > > > Get Your Private, Free Email at http://www.hotmail.com
> > > > >
> > > > >
> > > >--
> > > >Mark Andrews, Internet Software Consortium
> > > >1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > >PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> > >
> > >
> > > ______________________________________________________
> > > Get Your Private, Free Email at http://www.hotmail.com
> > >
> >--
> >Mark Andrews, Internet Software Consortium
> >1 Seymour St., Dundas Valley, NSW 2117, Australia
> >PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list