allow-recursion slowing server to crawl

[Vernon Schryver]

> From: "Marco C. Coelho"

> Mark Andrews was right.
> This server was being hammered so hard that logging the rejects was 
> killing the performance.
> adding:
> logging {
>    category default { null; };
>    //category lame-servers { null; };
> };


> On 2/27/2013 5:18 PM, Mark Andrews wrote:
> > I suspect this is just logging. send the security channel to null;
> > for a while.  Once your server gets off the I'm a recursive reflector
> > lists you can turn it on again.

> >> I discovered my bind 9 server was being used in a DDOS attack so I
> >> decided (late) to block outside networks from making recursive
> >> requests.  The problem is every time I enable this, the time for DNS
> >> queries goes from 0-1ms to 2000-6000ms or just times out completely.

> >> There are thousands of my clients that need recursion from this server.
> >> It is also authoritative for many domains.
> >>
> >> There is a semi busy mail server on this same box that uses DNS as well.

Turning off recursion for outsiders while allowing them authoritative
responses might not entirely stop the use of a DNS server reflection
attacks.  If the server is one of the ones I suspect, then even with
recursion for outsiders turned off, it is remains useful for about 6X
amplification in a reflection attack.  That's enough lower than the
10X or even 50X available from some others that the bad guys might
demote it.  However, many of those have been fixed or are being fixed.

To really stop reflection DoS problem, I would install a current version
of BIND and then the RRL patch with RRL enabled for external DNS clients
and disabled for internal clients.  See http://www.redbarn.org/dns/ratelimits

If RRL is too radical or can't be installed immediately, I'd still
get away from BIND8.  See https://www.isc.org/software/bind/security
and https://www.isc.org/software/bind8/security/matrix


Vernon Schryver    vjs at rhyolite.com