allow-recursion slowing server to crawl
I discovered my bind 9 server was being used in a DDOS attack so I
decided (late) to block outside networks from making recursive
requests. The problem is every time I enable this, the time for DNS
queries goes from 0-1ms to 2000-6000ms or just times out completely.
The options section is below. I've commented it out so as to enable my
network to run.
There are thousands of my clients that need recursion from this server.
It is also authoritative for many domains.
There is a semi busy mail server on this same box that uses DNS as well.
I googled this to death with no real suggestions. I've tried it with
ACL and without.
Any suggestions would be appreciated.
Marco
acl internal {
24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost;
};
options {
directory /var/named;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
recursive-clients 1000;
recursion yes;
//allow-query { any; };
//allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
localnets; localhost; };
//allow-recursion { internal; };
//allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
localnets; localhost; };
listen-on-v6 { none; };
listen-on { 24.202.224.2; };
version 8.2.3-REL;
};
--
Argon Technologies Inc.
Marco Coelho, President, CEO
POB 875
4612 Wesley St.
Greenville, TX 75402
903-455-5036
903-455-2115 Fax
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-recursion slowing server to crawl
I suspect this is just logging. send the security channel to null;
for a while. Once your server gets off the I'm a recursive reflector
lists you can turn it on again.
In message 512e7940.7060...@argontech.net, Marco C. Coelho writes:
I discovered my bind 9 server was being used in a DDOS attack so I
decided (late) to block outside networks from making recursive
requests. The problem is every time I enable this, the time for DNS
queries goes from 0-1ms to 2000-6000ms or just times out completely.
The options section is below. I've commented it out so as to enable my
network to run.
There are thousands of my clients that need recursion from this server.
It is also authoritative for many domains.
There is a semi busy mail server on this same box that uses DNS as well.
I googled this to death with no real suggestions. I've tried it with
ACL and without.
Any suggestions would be appreciated.
Marco
acl internal {
24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost;
};
options {
directory /var/named;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
recursive-clients 1000;
recursion yes;
//allow-query { any; };
//allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
localnets; localhost; };
//allow-recursion { internal; };
//allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
localnets; localhost; };
listen-on-v6 { none; };
listen-on { 24.202.224.2; };
version 8.2.3-REL;
};
--
Argon Technologies Inc.
Marco Coelho, President, CEO
POB 875
4612 Wesley St.
Greenville, TX 75402
903-455-5036
903-455-2115 Fax
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-recursion slowing server to crawl
Just so the list has the same answer,
Mark Andrews was right.
This server was being hammered so hard that logging the rejects was
killing the performance.
adding:
logging {
category default { null; };
//category lame-servers { null; };
};
to named.conf fixed the performance issues.
mc
On 2/27/2013 5:18 PM, Mark Andrews wrote:
I suspect this is just logging. send the security channel to null;
for a while. Once your server gets off the I'm a recursive reflector
lists you can turn it on again.
In message 512e7940.7060...@argontech.net, Marco C. Coelho writes:
I discovered my bind 9 server was being used in a DDOS attack so I
decided (late) to block outside networks from making recursive
requests. The problem is every time I enable this, the time for DNS
queries goes from 0-1ms to 2000-6000ms or just times out completely.
The options section is below. I've commented it out so as to enable my
network to run.
There are thousands of my clients that need recursion from this server.
It is also authoritative for many domains.
There is a semi busy mail server on this same box that uses DNS as well.
I googled this to death with no real suggestions. I've tried it with
ACL and without.
Any suggestions would be appreciated.
Marco
acl internal {
24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost;
};
options {
directory /var/named;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
recursive-clients 1000;
recursion yes;
//allow-query { any; };
//allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
localnets; localhost; };
//allow-recursion { internal; };
//allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
localnets; localhost; };
listen-on-v6 { none; };
listen-on { 24.202.224.2; };
version 8.2.3-REL;
};
--
Argon Technologies Inc.
Marco Coelho, President, CEO
POB 875
4612 Wesley St.
Greenville, TX 75402
903-455-5036
903-455-2115 Fax
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Argon Technologies Inc.
Marco Coelho, President, CEO
POB 875
4612 Wesley St.
Greenville, TX 75402
903-455-5036
903-455-2115 Fax
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-recursion slowing server to crawl
From: Marco C. Coelho
Mark Andrews was right.
This server was being hammered so hard that logging the rejects was
killing the performance.
adding:
logging {
category default { null; };
//category lame-servers { null; };
};
On 2/27/2013 5:18 PM, Mark Andrews wrote:
I suspect this is just logging. send the security channel to null;
for a while. Once your server gets off the I'm a recursive reflector
lists you can turn it on again.
I discovered my bind 9 server was being used in a DDOS attack so I
decided (late) to block outside networks from making recursive
requests. The problem is every time I enable this, the time for DNS
queries goes from 0-1ms to 2000-6000ms or just times out completely.
There are thousands of my clients that need recursion from this server.
It is also authoritative for many domains.
There is a semi busy mail server on this same box that uses DNS as well.
Turning off recursion for outsiders while allowing them authoritative
responses might not entirely stop the use of a DNS server reflection
attacks. If the server is one of the ones I suspect, then even with
recursion for outsiders turned off, it is remains useful for about 6X
amplification in a reflection attack. That's enough lower than the
10X or even 50X available from some others that the bad guys might
demote it. However, many of those have been fixed or are being fixed.
To really stop reflection DoS problem, I would install a current version
of BIND and then the RRL patch with RRL enabled for external DNS clients
and disabled for internal clients. See http://www.redbarn.org/dns/ratelimits
If RRL is too radical or can't be installed immediately, I'd still
get away from BIND8. See https://www.isc.org/software/bind/security
and https://www.isc.org/software/bind8/security/matrix
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-recursion slowing server to crawl
In message 512e97aa.2020...@argontech.net, Marco C. Coelho writes:
Just so the list has the same answer,
Mark Andrews was right.
This server was being hammered so hard that logging the rejects was
killing the performance.
adding:
logging {
category default { null; };
//category lame-servers { null; };
};
to named.conf fixed the performance issues.
That was a bit of over kill. I said kill the security category not every
category. When you do that you are driving blind.
category security { null; };
mc
On 2/27/2013 5:18 PM, Mark Andrews wrote:
I suspect this is just logging. send the security channel to null;
for a while. Once your server gets off the I'm a recursive reflector
lists you can turn it on again.
In message 512e7940.7060...@argontech.net, Marco C. Coelho writes:
I discovered my bind 9 server was being used in a DDOS attack so I
decided (late) to block outside networks from making recursive
requests. The problem is every time I enable this, the time for DNS
queries goes from 0-1ms to 2000-6000ms or just times out completely.
The options section is below. I've commented it out so as to enable my
network to run.
There are thousands of my clients that need recursion from this server.
It is also authoritative for many domains.
There is a semi busy mail server on this same box that uses DNS as well.
I googled this to death with no real suggestions. I've tried it with
ACL and without.
Any suggestions would be appreciated.
Marco
acl internal {
24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; localnets; localhost;
};
options {
directory /var/named;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
recursive-clients 1000;
recursion yes;
//allow-query { any; };
//allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
localnets; localhost; };
//allow-recursion { internal; };
//allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
localnets; localhost; };
listen-on-v6 { none; };
listen-on { 24.202.224.2; };
version 8.2.3-REL;
};
--
Argon Technologies Inc.
Marco Coelho, President, CEO
POB 875
4612 Wesley St.
Greenville, TX 75402
903-455-5036
903-455-2115 Fax
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr
ibe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Argon Technologies Inc.
Marco Coelho, President, CEO
POB 875
4612 Wesley St.
Greenville, TX 75402
903-455-5036
903-455-2115 Fax
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
