BIND this easy to DOS? (nobody?)

Mark Andrews Mark_Andrews at isc.org
Sun Jan 15 00:19:35 UTC 2006 

> In article <dqavbp$2n85$1 at sf1.isc.org>,
>  John Little <jlittle_97 at yahoo.com> wrote:
> 
> > > > I believe named caches 'lame servers'? Why does it not cache
> > > unreachable
> > > > servers?
> > 
> > It does. From DNS and Bind 4th Ed-Since 4.9 all Bind servers implement
> > negative caching..if an authoritative name server responds to a query
> > that says the domain name or datatype doesn't exist the name server
> > temporarily caches that information too.  
> > 
> > and further on:
> > Name servers can't cache data forever so the administrator must decide
> > on a TTL for the zone.  A small ttl creates lots of queries but ensures
> > consistency while a large ttl reduces queries but may not be as
> > consistent.
> > 
> > All of the above wa paraphrased from the book.
> 
> Neither of those paragraphs addresses the problem the OP wrote about.  
> He's not getting *any* response from the nameservers, so there's no 
> negative response to cache.
> 
> I believe he's absolutely correct.  BIND doesn't cache the fact that a 
> particular server is non-responsive, so that it shouldn't bother trying 
> to query it at all.

	Actually it adjusts the RTT estimate (modulo bugs).  It
	also collapses all the external queries into one query
	internally.  It should get down to about 1 external query
	every 10 seconds for the <qname,qtype,qclass> tuple independent
	of the query load when talking to non-responsive servers.

	BIND 9.4.0 also as a dynamic per <qname,qtype,qclass> client
	limits in addition to the overall recursive clients limit.

	Depending upon the version of named he is running at 500
	q/s * 90 (current 30) seconds (after which named gives up)
	he needs recurive clients depths of 45000 (current 15000).

	Mark

> -- 
> Barry Margolin, barmar at alum.mit.edu
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***
> *** PLEASE don't copy me on replies, I'll read them in the group ***
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list