How to prevent DoS attacks from non-spoofed IPs on DNS.

[Al-Juhani]

Hello List..

Last week one of our Web Servers was hit by large number of DNS Queries from
several IPs
around the world. The Domain that was mapped has our nameservers.

Here is some stats:

Number of DNS Queries were approx. more than 7,200 Per hour.
Bandwidth: reached 100 times more than the normal average.
Named was consuming more than 80% of the CPU Power.
CPU temp was between 50 to 60.
Load Average reached 20
Logging-in SSH takes 3-4 minutes as DNS times out.
Browsing website gives tcp ip error as DNS times out.
/var/log/messages logs filled with the DNS queries below but from different
IPs:

"denied recursion for query from [195.141.214.35].53 for domain.com IN"

Solution:

We have made a perl script that scan /var/log/messages, grap attacking IPs,
echo them into another file, sort them to remove duplicates and then trigger
an IPchains
blocking rule for each IP address.  We were hoping to find the loop as the
IPs appeared to be generated by a script and after collecting around 12,000
IP addresses, the loop restarted from the begining.

Well, that solved it and really I never thought the server will stand such
Denial of Service but luckily it survived.

My Question:

Is there any other way to protect Servers from such attacks.. I mean
something to do with BIND..
I know the spoofed IPs can be ignored but all attacking IPs were real
pingable IP addresses.

Thanks

Al-Juhani
aljuhani at zajil.net