DNS-cache with custom gTLDs
Drunkard Zhang
gongfan193 at gmail.com
Mon Sep 26 10:13:26 UTC 2011
2011/9/26 Matus UHLAR - fantomas <uhlar at fantomas.sk>:
>> 2011/9/23 Kevin Darcy <kcd at chrysler.com>:
>>>
>>> NXDOMAIN is a *permanent* response; at least it's "permanent" in the
>>> absence
>>> of any change the relevant DNS RRset or zone.
>>>
>>> You're almost certainly getting the NXDOMAIN because you're spoofing the
>>> root servers, and your "fake" root servers don't have the same knowledge
>>> as
>>> the real ones, so they'll return NXDOMAIN for some queries (whereas dig
>>> +trace does not, because it follows the hierarchy down and asks different
>>> nameservers). In other words, you're shooting yourself in the foot with
>>> your
>>> hints-file trickery.
>
> On 23.09.11 08:49, Drunkard Zhang wrote:
>>
>> No, I got 2 layers of DNS, recursive resolution DNS and dns-cache
>> which forward all it's queries to recursive DNS.
>
> Why? Can't your "recursive resolution DNS" cache records?
There're a lot of abnormal queries from user (We got about 0.4 millon
users), to avoid script kids' attack or buggy program, I designed 2
layers. And the dns-caches took most of the traffic. And again,
spoofing of root-servers on dns-cache is for the same reason.
Here's the high traffic hour's queries of root-servers, which looks
normal, it could be billon times when attacked.
log2 /gwbn/dns/20110925 # grep \.root-servers.net 20110925_21
1981381 a.root-servers.net A
2 m.root-servers.net A
1 k.root-servers.net A
1 j.root-servers.net A
1 g.root-servers.net A
1 f.root-servers.net A
1 c.root-servers.net A
More information about the bind-users
mailing list