Sporadic but noticable SERVFAILs in specific nodes of an anycast resolving farm running BIND
Kostas Zorbadelos
kzorba at otenet.gr
Sat Mar 8 19:52:48 UTC 2014
Hello,
an update with the findings so far:
- IPv6 config on the servers was an issue so we removed it and will test
further later. There is a hint pointed from various people about a
Linux kernel issue and setting (net.ipv6.route.max_size), see
https://lists.dns-oarc.net/pipermail/dns-operations/2014-February/011366.html
- our main issue was that we were being attacked. Open resolvers in our
network were utilized to produce large amounts of queries with random
subdomains of specific domains. Analyzing a small capture we noticed
the following domains, but the list should not be considered complete
I guess
www.jxoyjt.com.cn
liebiao.81ypf.com
yuerengu.com.cn
www.lgsf.net
www.xxcfsb.com
lie.zz85.com
www.9009pk.com
www.bcbang.com
One mitigation approach is to blackhole the domains using local zones.
--
Kostas Zorbadelos
twitter:@kzorbadelos http://gr.linkedin.com/in/kzorba
----------------------------------------------------------------------------
() www.asciiribbon.org - against HTML e-mail & proprietary attachments
/\
More information about the bind-users
mailing list