allow-recursion slowing server to crawl

Mark Andrews marka at isc.org
Wed Feb 27 23:18:55 UTC 2013 

I suspect this is just logging. send the security channel to null;
for a while.  Once your server gets off the I'm a recursive reflector
lists you can turn it on again.

In message <512E7940.7060003 at argontech.net>, "Marco C. Coelho" writes:
> 
> I discovered my bind 9 server was being used in a DDOS attack so I 
> decided (late) to block outside networks from making recursive 
> requests.  The problem is every time I enable this, the time for DNS 
> queries goes from 0-1ms to 2000-6000ms or just times out completely.  
> The options section is below. I've commented it out so as to enable my 
> network to run.
> 
> There are thousands of my clients that need recursion from this server.  
> It is also authoritative for many domains.
> 
> There is a semi busy mail server on this same box that uses DNS as well.
> 
> I googled this to death with no real suggestions.  I've tried it with 
> ACL and without.
> 
> Any suggestions would be appreciated.
> 
> Marco
> 
> acl "internal" {
>    24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; "localnets"; "localhost";
> };
> 
> options {
>    directory "/var/named";
>    /*
>     * If there is a firewall between you and nameservers you want
>     * to talk to, you might need to uncomment the query-source
>     * directive below.  Previous versions of BIND always asked
>     * questions using port 53, but BIND 8.1 uses an unprivileged
>     * port by default.
>     */
>    // query-source address * port 53;
>    recursive-clients 1000;
>    recursion yes;
>    //allow-query { any; };
>    //allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; 
> "localnets"; "localhost"; };
>    //allow-recursion { "internal"; };
>    //allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; 
> "localnets"; "localhost"; };
>    listen-on-v6 { none; };
>    listen-on { 24.202.224.2; };
>    version "8.2.3-REL";
> };
> 
> -- 
> Argon Technologies Inc.
> Marco Coelho, President, CEO
> POB 875
> 4612 Wesley St.
> Greenville, TX 75402
> 903-455-5036
> 903-455-2115 Fax
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list