Same here. Multi/redundant DNS servers do not help, the culprit recursive query being sent multiple times by client as each DNS server falls in turn. And multi-$$$$ firewall/IPS doesn't help catching the faulty packets :-(
I may state the obvious, but only workaround so far is (already saved the night a few times): $ cat /etc/cron.d/cve-2017-3137 # Make sure BIND9 has not crashed (cf. CVE-2017-3137) * * * * * root pgrep named >/dev/null || service bind9 restart (not so elegant however) Any hope Debian/Stable BIND gets patched ? (that's a pretty severe DoS vulnerability we have here) Thanks and sincerily, Cédric
