A lot of queries from a customer.
Rafael Molina
rafael.molina at interlink.net.ve
Thu Jun 28 12:30:28 UTC 2012
> Hi,
>
> Recently, I have been watching on one DNS server a lot of queries from
> a customer to ¨time-b.netgear.com¨ (Maybe a Netgear´s NTP server).
>
> About 1000 queries per minute.
>
> tail -f /var/log/bind9-query.log | grep time-b.netgear.com
>
> 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query:
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query:
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query:
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.008 client 186.14.xx.xx#32770: query:
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.009 client 186.14.xx.xx#32770: query:
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.009 client 186.14.xx.xx#32770: query:
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query:
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query:
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query:
> time-b.netgear.com IN A + (10.1.xx.xx)
>
> tcpdump -i eth0 port 53 and host 186.14.xx.xx
>
> 12:54:28.375374 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A?
> time-b.netgear.com. (36)
> 12:54:28.375479 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A?
> time-b.netgear.com. (36)
> 12:54:28.375507 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A?
> time-b.netgear.com. (36)
> 12:54:28.375553 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A?
> time-b.netgear.com. (36)
> 12:54:28.375638 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 44669+ A?
> time-b.netgear.com. (36)
> 12:54:28.376424 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
> 12:54:28.376525 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
> 12:54:28.376807 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
> 12:54:28.376845 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
> 12:54:28.376906 IP inter.net.ve.domain > 186.14.xx.xx.32770: 44669
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
> 12:54:28.381638 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 44669+ A?
> time-b.netgear.com. (36)
> 12:54:28.381693 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 62683+ A?
> time-b.netgear.com. (36)
> 12:54:28.381745 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 50898+ A?
> time-b.netgear.com. (36)
> 12:54:28.381869 IP inter.net.ve.domain > 186.14.xx.xx.32770: 44669
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
> 12:54:28.382011 IP inter.net.ve.domain > 186.14.xx.xx.32770: 62683
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
> 12:54:28.382058 IP inter.net.ve.domain > 186.14.xx.xx.32770: 50898
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
>
> I don´t find the ways to limit of queries per minutes on this customer
> Is it possible in Bind9 a filtering these queries, to limit the
> responses ?
>
> Thank in advance,
>
> Below, I´ve attached my configuration
>
> OS: ubuntu 11.10
> Bind: 9.7.3.dfsg-1ubuntu4.1
>
> named.conf.options
>
> allow-recursion { corp; };
> allow-query-cache { corp; };
>
> corp : clients.
>
> allow-query { any; };
> clients-per-query 10 ;
> max-clients-per-query 20 ;
> blackhole { bogusnets; };
> version "I hope this is a joke !";
> edns-udp-size 512;
> max-udp-size 512;
> recursive-clients 1000;
> max-cache-size 500M;
> tcp-clients 500;
> max-cache-ttl 43200; # 12 Hours
> max-ncache-ttl 900; # 15 min
>
> Saludos,
>
> Atentamente,
> Rafael J. Molina Q.
> www.inter.com.ve
>
>
More information about the bind-users
mailing list