allow-recursion slowing server to crawl
Mark Andrews
marka at isc.org
Wed Feb 27 23:18:55 UTC 2013
I suspect this is just logging. send the security channel to null;
for a while. Once your server gets off the I'm a recursive reflector
lists you can turn it on again.
In message <512E7940.7060003 at argontech.net>, "Marco C. Coelho" writes:
>
> I discovered my bind 9 server was being used in a DDOS attack so I
> decided (late) to block outside networks from making recursive
> requests. The problem is every time I enable this, the time for DNS
> queries goes from 0-1ms to 2000-6000ms or just times out completely.
> The options section is below. I've commented it out so as to enable my
> network to run.
>
> There are thousands of my clients that need recursion from this server.
> It is also authoritative for many domains.
>
> There is a semi busy mail server on this same box that uses DNS as well.
>
> I googled this to death with no real suggestions. I've tried it with
> ACL and without.
>
> Any suggestions would be appreciated.
>
> Marco
>
> acl "internal" {
> 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; "localnets"; "localhost";
> };
>
> options {
> directory "/var/named";
> /*
> * If there is a firewall between you and nameservers you want
> * to talk to, you might need to uncomment the query-source
> * directive below. Previous versions of BIND always asked
> * questions using port 53, but BIND 8.1 uses an unprivileged
> * port by default.
> */
> // query-source address * port 53;
> recursive-clients 1000;
> recursion yes;
> //allow-query { any; };
> //allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
> "localnets"; "localhost"; };
> //allow-recursion { "internal"; };
> //allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
> "localnets"; "localhost"; };
> listen-on-v6 { none; };
> listen-on { 24.202.224.2; };
> version "8.2.3-REL";
> };
>
> --
> Argon Technologies Inc.
> Marco Coelho, President, CEO
> POB 875
> 4612 Wesley St.
> Greenville, TX 75402
> 903-455-5036
> 903-455-2115 Fax
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list