8.2.3 server flooding root servers
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Mon Nov 12 22:01:57 UTC 2001
In general a nameserver needs to lookup information for
itself. To do this it needs to prime its cache which is
what you are seeing.
If you don't want it to do this remove the hints and set
fetch-glue to no. You may then need to explicitly set
also-notify if the nameservers for the zones you serve
do not also all live in the zones you serve.
Mark
P.S. if your firewall is setup correctly they won't be
flooding the root servers. A good firewall configuration
would be stopping the outgoing traffic that it would not
be allowing responses to back in.
>
> I have a DNS server with a problem. It is running Bind
> 8.2.3. I am running in a chrooted environment. The
> server is configured to prohibit recursive requests.
>
> It constantly queries the root servers with questions
> about the root servers. Here is an example network
> capture:
> dns1 -> 202.12.27.33 DNS C M.ROOT-SERVERS.NET.
> Internet Addr ?
> dns1 -> 202.12.27.33 DNS C L.ROOT-SERVERS.NET.
> Internet Addr ?
> dns1 -> 202.12.27.33 DNS C K.ROOT-SERVERS.NET.
> Internet Addr ?
> dns1 -> 202.12.27.33 DNS C J.ROOT-SERVERS.NET.
> Internet Addr ?
> dns1 -> 202.12.27.33 DNS C I.ROOT-SERVERS.NET.
> Internet Addr ?
> dns1 -> 202.12.27.33 DNS C H.ROOT-SERVERS.NET.
> Internet Addr ?
> dns1 -> 202.12.27.33 DNS C G.ROOT-SERVERS.NET.
> Internet Addr ?
> dns1 -> 202.12.27.33 DNS C F.ROOT-SERVERS.NET.
> Internet Addr ?
> dns1 -> 202.12.27.33 DNS C E.ROOT-SERVERS.NET.
> Internet Addr ?
> dns1 -> 202.12.27.33 DNS C D.ROOT-SERVERS.NET.
> Internet Addr ?
> dns1 -> 202.12.27.33 DNS C C.ROOT-SERVERS.NET.
> Internet Addr ?
> dns1 -> 202.12.27.33 DNS C B.ROOT-SERVERS.NET.
> Internet Addr ?
> dns1 -> 202.12.27.33 DNS C A.ROOT-SERVERS.NET.
> Internet Addr ?
>
> My secondary DNS is running almost the same
> configuration, but it has no problems.
>
> Here is the named.conf for the primary. I have made a
> few changes to avoid telling you more about myself
> than you really need to know.:
>
> logging {
> channel default_log_file {
> file "/var/log/default_named.log" versions
> 99 size unlimited;
> severity debug 1;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
> category default { default_log_file; };
> };
>
> options {
> directory "/var/named";
> allow-transfer {
> 1.1.1.1 /* ISP DNS */
> 1.1.1.2 /* ISP Backup DNS *?
> };
> recursion no;
> version "0000";
> notify yes;
> also-notify { 1.1.1.2;};
> pid-file "/var/run/named.pid";
> };
>
> zone "." {
> type hint;
> file "root.cache";
> };
>
> zone "0.0.127.IN-ADDR.ARPA" {
> type master;
> file "db.localhost";
> };
>
> zone "example.com" {
> type master;
> file "db.example.com";
> };
>
> (More zones follow, but no more configuration options)
>
> If you have ever seen a similar problem, or have any
> idea what is going on please let me know.
>
> ___________________________________________________________
> Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
> Yahoo! Courrier : http://courrier.yahoo.fr
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list