BIND this easy to DOS? (nobody?)
Mark de Vries
markdv.bind at asphyx.net
Sat Jan 14 11:10:33 UTC 2006
Haven't seen a single response?! Am I the only one (running large caching
servers) that occasionally runs into this problem?
On Tue, 10 Jan 2006, Mark de Vries wrote:
>
> Hi,
>
> Tonight a customer started sending ~50 q/s for A? ssh.e-swiat.be.
>
> Both name servers for this domain where unreachable. From a dumpdb:
>
> e-swiat.be. 75323 NS ns1-be.yi.org.
> 75323 NS ns2-be.yi.org.
> ns1-be.yi.org. 75324 A 80.21.186.219
> ns2-be.yi.org. 75324 A 82.177.34.22
>
> This did not stop bind from sending queries to these servers almost as
> often as it was queried by the customer. Resulting in "no more recursive
> clients" and degraded performance (other customer's queries beeing
> dropped.)
>
> I believe named caches 'lame servers'? Why does it not cache unreachable
> servers? After a few timeouts mark the host unreachable for a certain
> amount of time and refrain from sending queries to it. If all servers for
> a domain are marked unreachable return SERVFAIL to the client...
>
> Doesn't this make it real easy to kill bind? Just setup a (sub) domain
> with some nameservers who's IPs are unreachable, start sending queries
> for some name in that domain like mad and wait for the number of recursive
> clients to fill up...
>
> btw, I have recursive-clients set to 12500. Is there any way to see how
> close to this limit I'm getting at times? Would be nice if 'rncd status'
> would spit out the current number of outstaning queries.
>
> Regards,
> Mark
>
>
>
--
What's a girl like you doing in a nice place like this?
More information about the bind-users
mailing list