DNS NXDOMAIN flood

Mosharaf Hossain mosharaf.hossain at bol-online.com
Thu Nov 2 04:58:34 UTC 2023 

Hello Folks
I have come across a challenge with our BIND nameserver, specifically
related to a "*DNS NXDOMAIN flood*" problem. Despite upgrading the BIND
version from 9.10 to 9.18, the issue persists.

The attack originates from an external network, and it periodically
saturates our entire internet bandwidth. While we've implemented various
measures to combat the attack, it continues to be a significant problem,
rendering our DNS server incapable of resolving queries during these
onslaughts.

Current DNS server spec:
OS Debian 12
BIND: BIND 9.18.19-1~deb12u1-Debian (Extended Support Version) <id:>


*DNS NXDOMAIN flood Sample log:*
Nov 02 09:00:23 ns1.bol-online.com named[2202594]: client @0x7fce7d2c1768
47.74.84.139#28827 (bearnote.primebank.com.bd): rate limit drop NXDOMAIN
response to 47.74.84.0/24 for primebank.c>
Nov 02 09:00:23 ns1.bol-online.com named[2202594]: client @0x7fce720cdd68
192.221.176.14#34882 (2014-06-24.pRiMEBANK.cOM.BD): rate limit drop
NXDOMAIN response to 192.221.176.0/24 for prim>
Nov 02 09:00:23 ns1.bol-online.com named[2202594]: client @0x7fce65cb9d68
74.125.187.132#53017 (HUbBY.PRimEBaNK.cOm.bD): rate limit drop NXDOMAIN
response to 74.125.187.0/24 for primebank.>
Nov 02 09:00:23 ns1.bol-online.com named[2202594]: client @0x7fce90fdb768
172.217.47.5#65160 (GEoVIsIOn.PrimeBAnk.COm.bD): rate limit drop NXDOMAIN
response to 172.217.47.0/24 for primeban>
Nov 02 09:00:23 ns1.bol-online.com named[2202594]: client @0x7fce99901b68
77.59.227.211#61265 (lanyware.primebank.com.bd): rate limit slip NXDOMAIN
response to 77.59.227.0/24 for primebank>
Nov 02 09:00:23 ns1.bol-online.com named[2202594]: client @0x7fce7ee5cd68
1.20.200.152#37953 (debianmeetingresume200809-kansai.primebank.com.bd):
rate limit slip NXDOMAIN response to 1.20.>
Nov 02 09:00:23 ns1.bol-online.com named[2202594]: client @0x7fce69846968
162.158.207.78#44948 (stacking.primebank.com.bd): rate limit drop NXDOMAIN
response to 162.158.207.0/24 for primeb>




Regards
Mosharaf Hossain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231102/ea4654fe/attachment.htm>

More information about the bind-users mailing list