Problems with Bind 8.2.1 not answering queries

Mike McHenry mmchen at ally.minn.net
Tue Sep 7 02:05:44 UTC 1999 

Hello all,

I have seen several people post a problem very similar to the one I have been having over the past few weeks but I have yet to see any sort of definitive answer on the issue.

It seems that peopler are having an issue with various versions of bind not answering queries after being hit with a number of unapproved updates. I have personally been experiencing this for some time now and have not been able to come up with a suitable way to deal with this problem. In most of the other reported cases I have seen the problem seems to be primarily with Linux machines running Bind, however I have seen reports of various platforms which exhibit the same behaviour.

Accrding to rfc2136:

   8.2. A denial of service attack can be launched by flooding an update
   forwarder with TCP sessions containing updates that the primary
   master server will ultimately refuse due to permission problems.
   This arises due to the requirement that an update forwarder receiving
   a request via TCP use a synchronous TCP session for its forwarding
   operation.  The connection management mechanisms of [RFC1035 4.2.2]
   are sufficient to prevent large scale damage from such an attack, but
   not to prevent some queries from going unanswered during the attack.

This would seem to be exactly what is happening in my case (and others). The question is how can this behaviour be dealt with other than black-holing the offending addresses. In my case the unnaproved updates are coming from what appears to be Korea and my many requests to resolve the problem have been unanswered.

A DNS server not answering a FEW queries is a serious issue to most of us, especially when it happens at random times. When this "DOS" happens to me my name server becomes unavailable for at least 2-3 minutes, clearly NOT something I want happening to my core DNS server.

I have the capability to do extensive packet tracing and system call tracing on named when this outage happens, but I see little point in posting them here as it seems that the description in the rfc is indeed what is happening.

Mike McHenry

More information about the bind-users mailing list