Mysterious load increase, BIND 8.2.2,p5
Jim Reid
jim at rfc1035.com
Fri Apr 21 09:24:31 UTC 2000
>>>>> "joe" == cschen <cschen at cc.nctu.edu.tw> writes:
joe> BTW, we also found another kind of DNS queries (or attacks ?)
joe> being issued continuously. - Some user program keeps sending
joe> DNS queries to some remote IP addr.
joe> It seemt that BIND 8.x has implemented the Negative Cache
joe> feature. I wonder why the NCache feature could NOT take care
joe> of this. Is there something special ?
No. Negative caching is normally only done by up to date name
servers. Resolvers don't. This is because resolvers don't have any
cache and maintain almost no state information. As a general rule, an
application invokes the resolver to make one DNS lookup. With negative
caching, a name server is told "this name does not exist and remember
that for N seconds". So if the name server then gets asked for that
non-existent name, it can give that negatively-cached answer without
going and looking up the name again. And getting the same answer as
before.
Now it's possible - but highly unlikely - that an application would
understand the semantics of negative caching. Especially one that
appears to be stuck in a tight loop asking for the same name over and
over again. What you have to do is find the owner of the computer
that's mking these idiot requests and get them to fix it. Oh and if a
name server doesn't implement negative caching - and there are many
thousands of them in use! - it will behave in the same idiotic manner
by making the same queries over and over.
More information about the bind-users
mailing list