2011/9/26 Matus UHLAR - fantomas <uh...@fantomas.sk>: >> 2011/9/23 Kevin Darcy <k...@chrysler.com>: >>> >>> NXDOMAIN is a *permanent* response; at least it's "permanent" in the >>> absence >>> of any change the relevant DNS RRset or zone. >>> >>> You're almost certainly getting the NXDOMAIN because you're spoofing the >>> root servers, and your "fake" root servers don't have the same knowledge >>> as >>> the real ones, so they'll return NXDOMAIN for some queries (whereas dig >>> +trace does not, because it follows the hierarchy down and asks different >>> nameservers). In other words, you're shooting yourself in the foot with >>> your >>> hints-file trickery. > > On 23.09.11 08:49, Drunkard Zhang wrote: >> >> No, I got 2 layers of DNS, recursive resolution DNS and dns-cache >> which forward all it's queries to recursive DNS. > > Why? Can't your "recursive resolution DNS" cache records?
There're a lot of abnormal queries from user (We got about 0.4 millon users), to avoid script kids' attack or buggy program, I designed 2 layers. And the dns-caches took most of the traffic. And again, spoofing of root-servers on dns-cache is for the same reason. Here's the high traffic hour's queries of root-servers, which looks normal, it could be billon times when attacked. log2 /gwbn/dns/20110925 # grep \.root-servers.net 20110925_21 1981381 a.root-servers.net A 2 m.root-servers.net A 1 k.root-servers.net A 1 j.root-servers.net A 1 g.root-servers.net A 1 f.root-servers.net A 1 c.root-servers.net A _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users