Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On Tue, 2013-04-16 at 05:27 -0400, Barry Margolin wrote: In article mailman.130.1366101804.20661.bind-us...@lists.isc.org, Matus UHLAR - fantomas uh...@fantomas.sk wrote: they apparently expect your nameserver to provide resursive DNS service for your company while it may not be intended for that use... some customers (well, not only customers...) do not understand the difference between authoritative and recursive DNS service and may try to use servers for purpose not intended. Some may also complain if the service does not work properly If they were using his server as a resolver, wouldn't he see queries for lots of random hostnames (including popular domains like www.google.com, www.yahoo.com, etc.), not just isc.org? These seems like some attack going on, after reading the mails i also check my recursive server and found a lot of these in my logs: 16-Apr-2013 11:31:35.743 security: info: client 101.226.167.13#55818: query (cache) 'xliar.com/A/IN' denied 16-Apr-2013 11:31:35.776 security: info: client 101.226.167.13#53710: query (cache) 'www.baidu.com/A/IN' denied 16-Apr-2013 11:31:35.813 security: info: client 182.118.40.31#42505: query (cache) 'www.baidu.com/A/IN' denied 16-Apr-2013 11:31:36.187 security: info: client 220.181.156.90#59278: query (cache) 'hao.360.cn/A/IN' denied 16-Apr-2013 11:31:36.225 security: info: client 220.181.156.90#50194: query (cache) 'www.360.cn/A/IN' denied 16-Apr-2013 11:31:36.253 security: info: client 220.181.156.90#33551: query (cache) 'www.so.com/A/IN' denied 16-Apr-2013 11:31:36.574 security: info: client 182.118.40.31#36470: query (cache) 'xliar.com/A/IN' denied 16-Apr-2013 11:31:36.587 security: info: client 182.118.40.31#51191: query (cache) 'www.so.com/A/IN' denied 16-Apr-2013 11:31:36.691 security: info: client 117.21.187.20#47169: query (cache) 'hao.360.cn/A/IN' denied 16-Apr-2013 11:31:36.705 security: info: client 183.60.211.65#32809: query (cache) 'www.so.com/A/IN' denied 16-Apr-2013 11:31:36.722 security: info: client 117.21.187.20#54942: query (cache) 'www.so.com/A/IN' denied 16-Apr-2013 11:31:36.733 security: info: client 117.21.187.20#50493: query (cache) 'down.360.cn/A/IN' denied 16-Apr-2013 11:31:36.761 security: info: client 182.118.40.31#54391: query (cache) 'hao.360.cn/A/IN' denied 16-Apr-2013 11:31:36.762 security: info: client 120.128.6.42#56439: query (cache) 'down.360.cn/A/IN' denied 16-Apr-2013 11:31:36.798 security: info: client 120.128.6.42#52172: query (cache) 'www.360.cn/A/IN' denied my server is not an open recursive server its only open to my clients and these are not even from my country. Kebba ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On Tue, 2013-04-16 at 13:00 +0100, Phil Mayers wrote: On 16/04/13 12:41, Kebba Foon wrote: my server is not an open recursive server its only open to my clients and these are not even from my country. You're right, it's probably a spoofed-source DNS amplification attack. If your DNS server isn't open (good to hear) you could consider just ACLing it at your network border. Alternatively, you could consider the RRL patches to bind. These looks definitely like an attack, its the same thing on both my recursive servers just check the other now and saw the same queries. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
limiting number of recursion/queries per IP address
Dear List, Is is possible to limit the number of recursion/queries per IP address. there is some kind of virus thats bombarding my dns servers with a lot of queries, i realize that when ever the total number of recursion clients reach 1000 dns resolution stop working. i have increase the recursive-clients to 1 but still these those not help. and also i have increase the number of max open files on my OS which at one point was complaining about too many open files. can someone please direct me to how best to solve this problem its some kind of DDOS. Thanks Kebba ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: limiting number of recursion/queries per IP address
On Tue, 2010-10-26 at 15:22 -0400, Todd Snyder wrote: What version of bind, on what OS? I use Debian 5.0 with bind 9.6-ESV-R1 but also i thought that the OS might have some security holes so i try FreeBSD 8.1 with BIND 9.7.1 but still have ihave the same problems. here may be some things you can do with iptables to limit connections http://www.debian-administration.org/articles/187 i will just look into these but it done thing iptables will be the ideal solution. I don't recall seeing anything native to BIND that would allow for limits per src. t. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Kebba Foon Sent: Tuesday, October 26, 2010 2:27 PM To: bind-users@lists.isc.org Subject: limiting number of recursion/queries per IP address Dear List, Is is possible to limit the number of recursion/queries per IP address. there is some kind of virus thats bombarding my dns servers with a lot of queries, i realize that when ever the total number of recursion clients reach 1000 dns resolution stop working. i have increase the recursive-clients to 1 but still these those not help. and also i have increase the number of max open files on my OS which at one point was complaining about too many open files. can someone please direct me to how best to solve this problem its some kind of DDOS. Thanks Kebba ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS issue
On Sun, 2010-08-29 at 10:22 +0100, Agarwal Vivek-RNGB36 wrote: Hi All I am using ISC-BIND 9.3.4 as a DNS Server. Im facing an issue that Im getting lot of Queries as like Root: type NS, class IN. This is leading to high CPU Utilization of my system. Can anyone help me that how can I solve this issue and why these requests will be coming Regards Vivek Aggarwal try to use and access list on your bind. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: recursing stop at about 1000 clients
Thanks for the tips, i once saw this errors on my log file, too many files open but i fix that with setting ulimit -n 1824. i will try to donwload the bind-9.7.1-P2. On Sun, 2010-07-18 at 08:20 +1000, Noel Butler wrote: On Fri, 2010-07-16 at 08:41 +, Kebba Foon wrote: am running 9.6-ESV-R1 on Debian 5.0 lenny You might need to ensure your operating system can handle more than 1024 file descriptors as it sounds like it is not, but the logs should reflect this, this could be your problem, if it's not, then, I can see no reason for this, although I do not use debian, I suggest you grab the latest source and stop using antiquated deb packages, most people I know who are even 'fanantical debian nuts' ,resolve their problems right away by using the source. ftp://ftp.isc.org/isc/bind9/9.7.1-P2/bind-9.7.1-P2.tar.gz and try that. BTW, as you're using Evolution, hitting Control-L will set up a reply to list :) Cheers ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: recursing stop at about 1000 clients
i did i set my recursive-clients to 1 but it does not help. On Thu, 2010-07-15 at 20:21 +1000, Noel Butler wrote: UDP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
recursing stop at about 1000 clients
Hi List i have been having issues with my dns server for a while now, my server suddently stops answering to queries. i notice that this happen when every my recursive clients is more that a thousand, as per the result of rndc status. any help about this will highly be welcome Thanks Kebba ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind DNS server not resloving
On Thu, 2010-07-08 at 10:37 +0200, Matus UHLAR - fantomas wrote: Hello, please, if you are writing a new post, send it as new mail and not as reply/followup on old mail. It makes people with threading clients angry and they can also in such case miss your e-mail. Thank you. On 07.07.10 20:43, Kebba Foon wrote: Subject: Bind DNS server not resloving From: Kebba Foon kebba.f...@qcell.gm To: bind-us...@isc.org In-Reply-To: 1278507529.20977.20.ca...@hoth.netnod.se References: 1278501226.20977.7.ca...@hoth.netnod.se 20100707124157.190...@gmx.net 1278507529.20977.20.ca...@hoth.netnod.se Date: Wed, 07 Jul 2010 20:43:29 + I have been experience DNS resolutions problems these past few days, if i run nslookup i get this error: ;; connection timed out; no servers could be reached with dig +trace i get: ; DiG 9.6-ESV-R1 @my ns server ip espn.com +trace Combining +trace and @server is useless, either you want to trace, or you want to query specified server. I dont want to query a specific server, this is my cache server that i cant run any query from am trying to figure out why i cant query using my server. ;; connection timed out; no servers could be reached am not sure exectly whats is causing these time outs, the strange thing is that it works sometimes for a brief time and stop. apparently the server does not answer, or it does not get answers (but I think in the latter case it sends SERVFAIL). my server is Debian 5.0 lenny and the bind version running on it is 9.9.6-ESV-R1. 9.6.ESV-R1 you mean. yes i meant 9.6.ESV-R1 but i upgraded to 9.7.1 yesterday ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind DNS server not resloving
Hi I have been experience DNS resolutions problems these past few days, if i run nslookup i get this error: ;; connection timed out; no servers could be reached with dig +trace i get: ; DiG 9.6-ESV-R1 @my ns server ip espn.com +trace ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached am not sure exectly whats is causing these time outs, the strange thing is that it works sometimes for a brief time and stop. The network does not seems to be the problem as i can run a traceroute from the server and also if i run a traceroute from dnsstuff.com my server is Debian 5.0 lenny and the bind version running on it is 9.9.6-ESV-R1. any help will be greatly appreciated. Thanks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
error: isc_socket_create: fcntl/reserved: Too many open files
Hi list, i keep having this error repeatedly on my bind 9.5.1-P3 and it crash my server am using debian lenny 5.0 and there is not upgrade for bind on thier repository. any help thanks 07-Jun-2010 17:04:08.058 general: error: isc_socket_create: fcntl/reserved: Too many open files 07-Jun-2010 17:04:08.075 general: error: isc_socket_create: fcntl/reserved: Too many open files 07-Jun-2010 17:04:08.150 general: error: isc_socket_create: fcntl/reserved: Too many open files 07-Jun-2010 17:04:08.156 general: error: isc_socket_create: fcntl/reserved: Too many open files 07-Jun-2010 17:04:08.163 general: error: isc_socket_create: fcntl/reserved: Too many open files 07-Jun-2010 17:04:08.180 general: error: isc_socket_create: fcntl/reserved: Too many open files 07-Jun-2010 17:04:08.189 general: error: isc_socket_create: fcntl/reserved: Too many open files Kebba ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind security: warning
Dear list am using BIND 9.5.1-P3 recently am been have lots of issues with my cache server. at one point it was not resolving any queries. please help, this is the log that keeps showing up on my server, 04-Jun-2010 19:20:47.200 security: warning: client 41.223.214.27#8222: RFC 1918 response from Internet for 105.1.168.192.in-addr.arpa 04-Jun-2010 19:20:50.279 security: warning: client 196.46.233.8#34578: RFC 1918 response from Internet for 22.81.168.192.in-addr.arpa 04-Jun-2010 19:20:52.196 security: warning: client 41.223.214.25#6394: RFC 1918 response from Internet for 100.1.168.192.in-addr.arpa 04-Jun-2010 19:20:52.820 security: warning: client 196.46.233.8#34578: RFC 1918 response from Internet for 6.81.168.192.in-addr.arpa 04-Jun-2010 19:20:53.226 security: warning: client 196.46.239.37#49803: RFC 1918 response from Internet for 107.1.168.192.in-addr.arpa 04-Jun-2010 19:20:54.403 security: warning: client 196.46.233.8#34578: RFC 1918 response from Internet for 49.81.168.192.in-addr.arpa 04-Jun-2010 19:21:02.701 security: warning: client 196.46.233.8#34578: RFC 1918 response from Internet for 46.81.168.192.in-addr.arpa 04-Jun-2010 19:21:06.560 security: warning: client 196.46.233.8#34578: RFC 1918 response from Internet for 19.81.168.192.in-addr.arpa 04-Jun-2010 19:21:09.455 security: warning: client 196.46.233.8#34578: RFC 1918 response from Internet for 65.81.168.192.in-addr.arpa 04-Jun-2010 19:21:12.939 security: warning: client 196.46.235.46#64502: RFC 1918 response from Internet for 1.0.168.192.in-addr.arpa 04-Jun-2010 19:21:39.691 security: warning: client 41.223.214.26#17391: RFC 1918 response from Internet for 54.2.225.10.in-addr.arpa 04-Jun-2010 19:21:55.762 security: warning: client 196.46.239.37#49803: RFC 1918 response from Internet for 107.1.168.192.in-addr.arpa 04-Jun-2010 19:22:06.800 security: warning: client 196.46.233.8#34578: RFC 1918 response from Internet for 19.81.168.192.in-addr.arpa 04-Jun-2010 19:22:14.439 security: warning: client 41.223.214.27#8436: RFC 1918 response from Internet for 34.3.225.10.in-addr.arpa 04-Jun-2010 19:22:16.639 security: warning: client 196.46.233.8#63154: RFC 1918 response from Internet for 38.81.168.192.in-addr.arpa 04-Jun-2010 19:22:19.387 security: warning: client 41.223.214.25#6394: RFC 1918 response from Internet for 102.1.168.192.in-addr.arpa 04-Jun-2010 19:22:19.810 security: warning: client 196.46.233.8#34578: RFC 1918 response from Internet for 6.81.168.192.in-addr.arpa 04-Jun-2010 19:22:19.992 security: warning: client 196.46.239.7#51996: RFC 1918 response from Internet for 100.1.168.192.in-addr.arpa 04-Jun-2010 19:22:24.889 security: warning: client 41.223.214.27#8473: RFC 1918 response from Internet for 111.1.225.10.in-addr.arpa and before this was the error i was having: 04-Jun-2010 14:12:38.773 general: error: isc_socket_create: fcntl/reserved: Too many open files 04-Jun-2010 14:12:38.774 general: error: isc_socket_create: fcntl/reserved: Too many open files 04-Jun-2010 14:12:38.774 general: error: isc_socket_create: fcntl/reserved: Too many open files 04-Jun-2010 14:12:38.774 general: error: isc_socket_create: fcntl/reserved: Too many open files 04-Jun-2010 14:12:38.817 general: error: isc_socket_create: fcntl/reserved: Too many open files 04-Jun-2010 14:12:38.817 general: error: isc_socket_create: fcntl/reserved: Too many open files 04-Jun-2010 14:12:38.818 general: error: isc_socket_create: fcntl/reserved: Too many open files 04-Jun-2010 14:12:38.818 general: error: isc_socket_create: fcntl/reserved: Too many open files 04-Jun-2010 14:12:38.834 general: error: isc_socket_create: fcntl/reserved: Too many open files 04-Jun-2010 14:12:38.835 general: error: isc_socket_create: fcntl/reserved: Too many open files 04-Jun-2010 14:12:38.835 general: error: isc_socket_create: fcntl/reserved: Too many open files 04-Jun-2010 14:12:38.835 general: error: isc_socket_create: fcntl/reserved: Too many open files 04-Jun-2010 14:12:38.835 general: error: isc_socket_create: fcntl/reserved: Too many open files 04-Jun-2010 14:12:38.863 general: error: isc_socket_create: fcntl/reserved: Too many open files i ran ulimit -n 8192 and that seems to have solve that error ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users