BIND this easy to DOS?

[Mark de Vries]

Hi,

Tonight a customer started sending ~50 q/s for A? ssh.e-swiat.be.

Both name servers for this domain where unreachable. From a dumpdb:

e-swiat.be.             75323   NS      ns1-be.yi.org.
                        75323   NS      ns2-be.yi.org.
ns1-be.yi.org.          75324   A       80.21.186.219
ns2-be.yi.org.          75324   A       82.177.34.22

This did not stop bind from sending queries to these servers almost as
often as it was queried by the customer. Resulting in "no more recursive
clients" and degraded performance (other customer's queries beeing
dropped.)

I believe named caches 'lame servers'? Why does it not cache unreachable
servers? After a few timeouts mark the host unreachable for a certain
amount of time and refrain from sending queries to it. If all servers for
a domain are marked unreachable return SERVFAIL to the client...

Doesn't this make it real easy to kill bind? Just setup a (sub) domain
with some nameservers who's IPs are unreachable, start sending queries
for some name in that domain like mad and wait for the number of recursive
clients to fill up...

btw, I have recursive-clients set to 12500. Is there any way to see how
close to this limit I'm getting at times? Would be nice if 'rncd status'
would spit out the current number of outstaning queries.

Regards,
Mark