I'm having thousands of queries ...
Vernon Schryver
vjs at rhyolite.com
Mon Apr 15 21:30:21 UTC 2013
> From: Denis Laventure <Denis_Laventure at uqac.ca>
> > Subject: RE: I'm having thousands of queries a domain isc.org and this
> > increasesmy cpu percentage to 100%. That may be happening and how I
> > can controlthis? is an attack? attachment of the log I made an update to
> > version 9.9.2-P2 as recommended but still continuo
> I'm having the same problem but for those domains...
>
> hao.360.cn.
> ...
> 15-Apr-2013 15:00:08.485 security: info: client 117.21.187.20#52538: view e=
> xternal: query (cache) 'hao.360.cn/A/IN' denied
The IP address mentioned in the previous mail message does not seem
to be an open recursive resolver. That and the reference to 9.9.2-P2
suggest that RRL would be a good fit and might save CPU cycles.
I don't know whether this DNS server is recursive or authoritative,
but that log entry suggests at least "closed". If it is closed or
authoritative, then RRL in the "external" view would automatically
save CPU cycles and bandwidth that would otherwise be spent sending
those REFUSED responses.
The best by far solution for an open recursive server being hammered
(or not yet being hammered) is to close it. If you can't close it
and can't afford the fancy defenses of commercial open recursive
servers such as
https://developers.google.com/speed/public-dns/docs/security#rate_limit
RRL is a lot better than no defense. The reason RRL is not recommend
for recursives server bcause RRL can slow down browsers, SMTP servers
(mail receivers), and other applications that repeat DNS requests.
See http://www.redbarn.org/dns/ratelimits
Vernon Schryver vjs at rhyolite.com
More information about the bind-users
mailing list