allow-recursion slowing server to crawl

Mark Andrews marka at isc.org
Thu Feb 28 00:59:09 UTC 2013 

In message <512E97AA.2020207 at argontech.net>, "Marco C. Coelho" writes:
> Just so the list has the same answer,
> 
> Mark Andrews was right.
> This server was being hammered so hard that logging the rejects was 
> killing the performance.
> adding:
> logging {
>    category default { null; };
>    //category lame-servers { null; };
> };
> 
> to named.conf fixed the performance issues.

That was a bit of over kill.  I said kill the security category not every
category.   When you do that you are driving blind.

	category security { null; };
 
> mc
> 
> On 2/27/2013 5:18 PM, Mark Andrews wrote:
> > I suspect this is just logging. send the security channel to null;
> > for a while.  Once your server gets off the I'm a recursive reflector
> > lists you can turn it on again.
> >
> > In message <512E7940.7060003 at argontech.net>, "Marco C. Coelho" writes:
> >> I discovered my bind 9 server was being used in a DDOS attack so I
> >> decided (late) to block outside networks from making recursive
> >> requests.  The problem is every time I enable this, the time for DNS
> >> queries goes from 0-1ms to 2000-6000ms or just times out completely.
> >> The options section is below. I've commented it out so as to enable my
> >> network to run.
> >>
> >> There are thousands of my clients that need recursion from this server.
> >> It is also authoritative for many domains.
> >>
> >> There is a semi busy mail server on this same box that uses DNS as well.
> >>
> >> I googled this to death with no real suggestions.  I've tried it with
> >> ACL and without.
> >>
> >> Any suggestions would be appreciated.
> >>
> >> Marco
> >>
> >> acl "internal" {
> >>     24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; "localnets"; "localhost";
> >> };
> >>
> >> options {
> >>     directory "/var/named";
> >>     /*
> >>      * If there is a firewall between you and nameservers you want
> >>      * to talk to, you might need to uncomment the query-source
> >>      * directive below.  Previous versions of BIND always asked
> >>      * questions using port 53, but BIND 8.1 uses an unprivileged
> >>      * port by default.
> >>      */
> >>     // query-source address * port 53;
> >>     recursive-clients 1000;
> >>     recursion yes;
> >>     //allow-query { any; };
> >>     //allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
> >> "localnets"; "localhost"; };
> >>     //allow-recursion { "internal"; };
> >>     //allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
> >> "localnets"; "localhost"; };
> >>     listen-on-v6 { none; };
> >>     listen-on { 24.202.224.2; };
> >>     version "8.2.3-REL";
> >> };
> >>
> >> -- 
> >> Argon Technologies Inc.
> >> Marco Coelho, President, CEO
> >> POB 875
> >> 4612 Wesley St.
> >> Greenville, TX 75402
> >> 903-455-5036
> >> 903-455-2115 Fax
> >>
> >> _______________________________________________
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr
> ibe
> >>   from this list
> >>
> >> bind-users mailing list
> >> bind-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> 
> -- 
> Argon Technologies Inc.
> Marco Coelho, President, CEO
> POB 875
> 4612 Wesley St.
> Greenville, TX 75402
> 903-455-5036
> 903-455-2115 Fax
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list