Hi
you might use in /etc/bind/named.conf.options e.g.
rate-limit { responses-per-second 10; nxdomains-per-second 2;
errors-per-second 5; };
that is, with values below default as your bind is already rate limiting
as shown in the logs
You might also shorten the default window of observance which is 15
seconds, maybe too long for your link saturation problem.
For more options see
https://bind9.readthedocs.io/en/v9.18.19/reference.html#namedconf-statement-rate-limit
Regards,
Carlos Horowicz
Planisys
On 02/11/2023 05:58, Mosharaf Hossain wrote:
Hello Folks
I have come across a challenge with our BIND nameserver, specifically
related to a "*DNS NXDOMAIN flood*" problem. Despite upgrading the
BIND version from 9.10 to 9.18, the issue persists.
The attack originates from an external network, and it periodically
saturates our entire internet bandwidth. While we've implemented
various measures to combat the attack, it continues to be a
significant problem, rendering our DNS server incapable of resolving
queries during these onslaughts.
Current DNS server spec:
OS Debian 12
BIND: BIND 9.18.19-1~deb12u1-Debian (Extended Support Version) <id:>
*_DNS NXDOMAIN flood Sample log_:
*
Nov 02 09:00:23 ns1.bol-online.com <http://ns1.bol-online.com>
named[2202594]: client @0x7fce7d2c1768 47.74.84.139#28827
(bearnote.primebank.com.bd <http://bearnote.primebank.com.bd>): rate
limit drop NXDOMAIN response to 47.74.84.0/24 <http://47.74.84.0/24>
for primebank.c>
Nov 02 09:00:23 ns1.bol-online.com <http://ns1.bol-online.com>
named[2202594]: client @0x7fce720cdd68 192.221.176.14#34882
(2014-06-24.pRiMEBANK.cOM.BD <http://2014-06-24.pRiMEBANK.cOM.BD>):
rate limit drop NXDOMAIN response to 192.221.176.0/24
<http://192.221.176.0/24> for prim>
Nov 02 09:00:23 ns1.bol-online.com <http://ns1.bol-online.com>
named[2202594]: client @0x7fce65cb9d68 74.125.187.132#53017
(HUbBY.PRimEBaNK.cOm.bD <http://HUbBY.PRimEBaNK.cOm.bD>): rate limit
drop NXDOMAIN response to 74.125.187.0/24 <http://74.125.187.0/24> for
primebank.>
Nov 02 09:00:23 ns1.bol-online.com <http://ns1.bol-online.com>
named[2202594]: client @0x7fce90fdb768 172.217.47.5#65160
(GEoVIsIOn.PrimeBAnk.COm.bD <http://GEoVIsIOn.PrimeBAnk.COm.bD>): rate
limit drop NXDOMAIN response to 172.217.47.0/24
<http://172.217.47.0/24> for primeban>
Nov 02 09:00:23 ns1.bol-online.com <http://ns1.bol-online.com>
named[2202594]: client @0x7fce99901b68 77.59.227.211#61265
(lanyware.primebank.com.bd <http://lanyware.primebank.com.bd>): rate
limit slip NXDOMAIN response to 77.59.227.0/24 <http://77.59.227.0/24>
for primebank>
Nov 02 09:00:23 ns1.bol-online.com <http://ns1.bol-online.com>
named[2202594]: client @0x7fce7ee5cd68 1.20.200.152#37953
(debianmeetingresume200809-kansai.primebank.com.bd
<http://debianmeetingresume200809-kansai.primebank.com.bd>): rate
limit slip NXDOMAIN response to 1.20.>
Nov 02 09:00:23 ns1.bol-online.com <http://ns1.bol-online.com>
named[2202594]: client @0x7fce69846968 162.158.207.78#44948
(stacking.primebank.com.bd <http://stacking.primebank.com.bd>): rate
limit drop NXDOMAIN response to 162.158.207.0/24
<http://162.158.207.0/24> for primeb>
Regards
Mosharaf Hossain
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
