On 23.09.24 08:07, Peter Davies wrote:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
*From: *"Nagesh Thati" <[email protected]>
*To: *"bind-users" <[email protected]>
*Sent: *Monday, 23 September, 2024 07:48:32
*Subject: *Assistance Needed: "Too Many Records" Error When Reloading Zone
`example.com`, BIND: 9.18.29
Hi BIND Community,
[...]
*`general.log` Output:*
23-Sep-2024 10:33:48.625 general: info: received control channel command 'reload
example.com <http://example.com>'
23-Sep-2024 10:33:48.625 general: debug 1: zone_startload: zone example.com/IN
<http://example.com/IN>: enter
23-Sep-2024 10:33:48.629 general: error: dns_master_load:
/var/named/zones/db.example.com:995 <http://db.example.com:995>: text.example.com
<http://text.example.com>: too many records
*Zone File Excerpt (Line 995):*
990 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset
ID: 209 for us-lcm-01.example.com <http://us-lcm-01.example.com>. created on 2024-05-28"
991 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset
ID: 211 for us-vra.example.com <http://us-vra.example.com>. created on 2024-05-28"
992 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset
ID: 212 for us-vdm.example.com <http://us-vdm.example.com>. created on 2024-05-28"
993 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset
ID: 217 for us-twlcm-01.example.com <http://us-twlcm-01.example.com>. created on
2024-05-28"
994 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset
ID: 220 for us-lcm-02.example.com <http://us-lcm-02.example.com>. created on 2024-05-29"
*995 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset
ID: 225 for us-dev-remote-50.example.com <http://us-dev-remote-50.example.com>. created on
2024-05-29"*
996 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset
ID: 228 for us-vdm-02.example.com <http://us-vdm-02.example.com>. created on 2024-05-29"
997 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset
ID: 230 for us-lcm-03.example.com <http://us-lcm-03.example.com>. created on 2024-05-29"
998 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset
ID: 235 for us-dev-remote-51.example.com <http://us-dev-remote-51.example.com>. created on
2024-05-29"
999 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset
ID: 240 for us-twlcm-02.example.com <http://us-twlcm-02.example.com>. created on
2024-05-29"
On 23.09.24 09:30, Petr Špaček wrote:
>> *Request for Assistance:*
>> 1. _Understanding the Limit:_ Is there a configurable limit in BIND that
restricts the number of records per zone? If so, how can we adjust this limit to
accommodate our current zone size?
>
> Albeit you can adjust configuration to allow more records in one place it is
not recommended. Doing so opens possibility of DoS attacks.
Hi Nagesh,
I think a better option would be to convert the RRs
text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 209 for
us-lcm-01.example.com. created on 2024-05-28"
to something like
us-lcm-01.text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 209 for
us-lcm-01.example.com. created on 2024-05-28"
since the discovery of the real name of text.example.com (if this is
requestable from unvalidated source IP addresses - almost any source IP address
in
the "internet" has to be considered unvalidated - since there is no applicable
way to validate foreign source addresses on autonomous system interconnects,
yet) will make it possible to abuse this RRs for a DoS amplification attack
against third parties (the real owners of the forged source IPs).
The attacker just needs to send requests for text.example.com IN TXT with the
forged IP of the victim, and the victim will get your hundreds of TXT records
under this name from your server for each of them.
But depending of the origin or use of this records this might be difficult. ;-)
Kind regards,
Lars
--
Lars Kollstedt
Telefon: +49 6151 16-71027
E-Mail: [email protected]
man-da.de GmbH
Dolivostraße 11
64293 Darmstadt
Sitz der Gesellschaft: Darmstadt
Registergericht: Amtsgericht Darmstadt
Handelsregisternummer: HRB 9484
Geschäftsführer: Andreas Ebert
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
