allow-recursion slowing server to crawl
I discovered my bind 9 server was being used in a DDOS attack so I decided (late) to block outside networks from making recursive requests. The problem is every time I enable this, the time for DNS queries goes from 0-1ms to 2000-6000ms or just times out completely. The options section is below. I've commented it out so as to enable my network to run. There are thousands of my clients that need recursion from this server. It is also authoritative for many domains. There is a semi busy mail server on this same box that uses DNS as well. I googled this to death with no real suggestions. I've tried it with ACL and without. Any suggestions would be appreciated. Marco acl internal { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost; }; options { directory /var/named; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; recursive-clients 1000; recursion yes; //allow-query { any; }; //allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost; }; //allow-recursion { internal; }; //allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost; }; listen-on-v6 { none; }; listen-on { 24.202.224.2; }; version 8.2.3-REL; }; -- Argon Technologies Inc. Marco Coelho, President, CEO POB 875 4612 Wesley St. Greenville, TX 75402 903-455-5036 903-455-2115 Fax ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-recursion slowing server to crawl
I suspect this is just logging. send the security channel to null; for a while. Once your server gets off the I'm a recursive reflector lists you can turn it on again. In message 512e7940.7060...@argontech.net, Marco C. Coelho writes: I discovered my bind 9 server was being used in a DDOS attack so I decided (late) to block outside networks from making recursive requests. The problem is every time I enable this, the time for DNS queries goes from 0-1ms to 2000-6000ms or just times out completely. The options section is below. I've commented it out so as to enable my network to run. There are thousands of my clients that need recursion from this server. It is also authoritative for many domains. There is a semi busy mail server on this same box that uses DNS as well. I googled this to death with no real suggestions. I've tried it with ACL and without. Any suggestions would be appreciated. Marco acl internal { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost; }; options { directory /var/named; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; recursive-clients 1000; recursion yes; //allow-query { any; }; //allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost; }; //allow-recursion { internal; }; //allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost; }; listen-on-v6 { none; }; listen-on { 24.202.224.2; }; version 8.2.3-REL; }; -- Argon Technologies Inc. Marco Coelho, President, CEO POB 875 4612 Wesley St. Greenville, TX 75402 903-455-5036 903-455-2115 Fax ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-recursion slowing server to crawl
Just so the list has the same answer, Mark Andrews was right. This server was being hammered so hard that logging the rejects was killing the performance. adding: logging { category default { null; }; //category lame-servers { null; }; }; to named.conf fixed the performance issues. mc On 2/27/2013 5:18 PM, Mark Andrews wrote: I suspect this is just logging. send the security channel to null; for a while. Once your server gets off the I'm a recursive reflector lists you can turn it on again. In message 512e7940.7060...@argontech.net, Marco C. Coelho writes: I discovered my bind 9 server was being used in a DDOS attack so I decided (late) to block outside networks from making recursive requests. The problem is every time I enable this, the time for DNS queries goes from 0-1ms to 2000-6000ms or just times out completely. The options section is below. I've commented it out so as to enable my network to run. There are thousands of my clients that need recursion from this server. It is also authoritative for many domains. There is a semi busy mail server on this same box that uses DNS as well. I googled this to death with no real suggestions. I've tried it with ACL and without. Any suggestions would be appreciated. Marco acl internal { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost; }; options { directory /var/named; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; recursive-clients 1000; recursion yes; //allow-query { any; }; //allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost; }; //allow-recursion { internal; }; //allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost; }; listen-on-v6 { none; }; listen-on { 24.202.224.2; }; version 8.2.3-REL; }; -- Argon Technologies Inc. Marco Coelho, President, CEO POB 875 4612 Wesley St. Greenville, TX 75402 903-455-5036 903-455-2115 Fax ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Argon Technologies Inc. Marco Coelho, President, CEO POB 875 4612 Wesley St. Greenville, TX 75402 903-455-5036 903-455-2115 Fax ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-recursion slowing server to crawl
From: Marco C. Coelho Mark Andrews was right. This server was being hammered so hard that logging the rejects was killing the performance. adding: logging { category default { null; }; //category lame-servers { null; }; }; On 2/27/2013 5:18 PM, Mark Andrews wrote: I suspect this is just logging. send the security channel to null; for a while. Once your server gets off the I'm a recursive reflector lists you can turn it on again. I discovered my bind 9 server was being used in a DDOS attack so I decided (late) to block outside networks from making recursive requests. The problem is every time I enable this, the time for DNS queries goes from 0-1ms to 2000-6000ms or just times out completely. There are thousands of my clients that need recursion from this server. It is also authoritative for many domains. There is a semi busy mail server on this same box that uses DNS as well. Turning off recursion for outsiders while allowing them authoritative responses might not entirely stop the use of a DNS server reflection attacks. If the server is one of the ones I suspect, then even with recursion for outsiders turned off, it is remains useful for about 6X amplification in a reflection attack. That's enough lower than the 10X or even 50X available from some others that the bad guys might demote it. However, many of those have been fixed or are being fixed. To really stop reflection DoS problem, I would install a current version of BIND and then the RRL patch with RRL enabled for external DNS clients and disabled for internal clients. See http://www.redbarn.org/dns/ratelimits If RRL is too radical or can't be installed immediately, I'd still get away from BIND8. See https://www.isc.org/software/bind/security and https://www.isc.org/software/bind8/security/matrix Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-recursion slowing server to crawl
In message 512e97aa.2020...@argontech.net, Marco C. Coelho writes: Just so the list has the same answer, Mark Andrews was right. This server was being hammered so hard that logging the rejects was killing the performance. adding: logging { category default { null; }; //category lame-servers { null; }; }; to named.conf fixed the performance issues. That was a bit of over kill. I said kill the security category not every category. When you do that you are driving blind. category security { null; }; mc On 2/27/2013 5:18 PM, Mark Andrews wrote: I suspect this is just logging. send the security channel to null; for a while. Once your server gets off the I'm a recursive reflector lists you can turn it on again. In message 512e7940.7060...@argontech.net, Marco C. Coelho writes: I discovered my bind 9 server was being used in a DDOS attack so I decided (late) to block outside networks from making recursive requests. The problem is every time I enable this, the time for DNS queries goes from 0-1ms to 2000-6000ms or just times out completely. The options section is below. I've commented it out so as to enable my network to run. There are thousands of my clients that need recursion from this server. It is also authoritative for many domains. There is a semi busy mail server on this same box that uses DNS as well. I googled this to death with no real suggestions. I've tried it with ACL and without. Any suggestions would be appreciated. Marco acl internal { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost; }; options { directory /var/named; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; recursive-clients 1000; recursion yes; //allow-query { any; }; //allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost; }; //allow-recursion { internal; }; //allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost; }; listen-on-v6 { none; }; listen-on { 24.202.224.2; }; version 8.2.3-REL; }; -- Argon Technologies Inc. Marco Coelho, President, CEO POB 875 4612 Wesley St. Greenville, TX 75402 903-455-5036 903-455-2115 Fax ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr ibe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Argon Technologies Inc. Marco Coelho, President, CEO POB 875 4612 Wesley St. Greenville, TX 75402 903-455-5036 903-455-2115 Fax ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users