DNS NXDOMAIN flood

Carlos Horowicz carlos at planisys.com
Thu Nov 2 11:08:11 UTC 2023 

Hi

you might use in /etc/bind/named.conf.options e.g.

rate-limit { responses-per-second 10; nxdomains-per-second 2; 
errors-per-second 5; };

that is, with values below default as your bind is already rate limiting 
as shown in the logs

You might also shorten the default window of observance which is 15 
seconds, maybe too long for your link saturation problem.

For more options see 
https://bind9.readthedocs.io/en/v9.18.19/reference.html#namedconf-statement-rate-limit

Regards,

Carlos Horowicz
Planisys

On 02/11/2023 05:58, Mosharaf Hossain wrote:
> Hello Folks
> I have come across a challenge with our BIND nameserver, specifically 
> related to a "*DNS NXDOMAIN flood*" problem. Despite upgrading the 
> BIND version from 9.10 to 9.18, the issue persists.
>
> The attack originates from an external network, and it periodically 
> saturates our entire internet bandwidth. While we've implemented 
> various measures to combat the attack, it continues to be a 
> significant problem, rendering our DNS server incapable of resolving 
> queries during these onslaughts.
>
> Current DNS server spec:
> OS Debian 12
> BIND: BIND 9.18.19-1~deb12u1-Debian (Extended Support Version) <id:>
>
> *_DNS NXDOMAIN flood Sample log_:
> *
> Nov 02 09:00:23 ns1.bol-online.com <http://ns1.bol-online.com> 
> named[2202594]: client @0x7fce7d2c1768 47.74.84.139#28827 
> (bearnote.primebank.com.bd <http://bearnote.primebank.com.bd>): rate 
> limit drop NXDOMAIN response to 47.74.84.0/24 <http://47.74.84.0/24> 
> for primebank.c>
> Nov 02 09:00:23 ns1.bol-online.com <http://ns1.bol-online.com> 
> named[2202594]: client @0x7fce720cdd68 192.221.176.14#34882 
> (2014-06-24.pRiMEBANK.cOM.BD <http://2014-06-24.pRiMEBANK.cOM.BD>): 
> rate limit drop NXDOMAIN response to 192.221.176.0/24 
> <http://192.221.176.0/24> for prim>
> Nov 02 09:00:23 ns1.bol-online.com <http://ns1.bol-online.com> 
> named[2202594]: client @0x7fce65cb9d68 74.125.187.132#53017 
> (HUbBY.PRimEBaNK.cOm.bD <http://HUbBY.PRimEBaNK.cOm.bD>): rate limit 
> drop NXDOMAIN response to 74.125.187.0/24 <http://74.125.187.0/24> for 
> primebank.>
> Nov 02 09:00:23 ns1.bol-online.com <http://ns1.bol-online.com> 
> named[2202594]: client @0x7fce90fdb768 172.217.47.5#65160 
> (GEoVIsIOn.PrimeBAnk.COm.bD <http://GEoVIsIOn.PrimeBAnk.COm.bD>): rate 
> limit drop NXDOMAIN response to 172.217.47.0/24 
> <http://172.217.47.0/24> for primeban>
> Nov 02 09:00:23 ns1.bol-online.com <http://ns1.bol-online.com> 
> named[2202594]: client @0x7fce99901b68 77.59.227.211#61265 
> (lanyware.primebank.com.bd <http://lanyware.primebank.com.bd>): rate 
> limit slip NXDOMAIN response to 77.59.227.0/24 <http://77.59.227.0/24> 
> for primebank>
> Nov 02 09:00:23 ns1.bol-online.com <http://ns1.bol-online.com> 
> named[2202594]: client @0x7fce7ee5cd68 1.20.200.152#37953 
> (debianmeetingresume200809-kansai.primebank.com.bd 
> <http://debianmeetingresume200809-kansai.primebank.com.bd>): rate 
> limit slip NXDOMAIN response to 1.20.>
> Nov 02 09:00:23 ns1.bol-online.com <http://ns1.bol-online.com> 
> named[2202594]: client @0x7fce69846968 162.158.207.78#44948 
> (stacking.primebank.com.bd <http://stacking.primebank.com.bd>): rate 
> limit drop NXDOMAIN response to 162.158.207.0/24 
> <http://162.158.207.0/24> for primeb>
>
>
>
>
> Regards
> Mosharaf Hossain
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231102/675da996/attachment-0001.htm>

More information about the bind-users mailing list