Is there any relationship between this "europeanwide" above.net failure and the huge amount of DNS requests to lockup.zonelabs.com which failed that every ISP (at least in France) seem to have encountered last night ? The zonelabs.com zone is hosted on Above.net NS servers.
The Netherlands were hit as well. We saw a massive flood of queries for lockup.zonelabs.com, too. It performed a nice DoS on our client name servers.... :-( You'd think that an unresponsive nameserver would be flagged dead, and such information be cached. Does anyone know whether that's actually done in Bind 8.3.4? Or perhaps not by default? Cheers, Arjan H Not even a clue-by-four would work with this clown. ________________________________ dr. Arjan Hulsebos Security Engineer Essent Kabelcom, @Home Benelux department 1042 AX Amsterdam Email: arjanh@corp.home.nl Tel: +31 20 88 55 407 Mob: +31 6 21 548 777
You'd think that an unresponsive nameserver would be flagged dead, and such information be cached. Does anyone know whether that's actually done in Bind 8.3.4? Or perhaps not by default?
This certainly does not happen when all authoritative nameservers are unresponsive. See http://www.nanog.org/mtg-0310/wessels.html, in particular pages 23 and 24 of the slides. In my simulations with 100% packet loss, DNS caches running BIND8, dnscache, W2000, and W2003 all amplified the user's query rates. Only BIND9 attenuated. The results do depend on the actual query rate, however. At a higher query rate, the other caches would/should attenuate as well (perhaps reaching their hard-coded rate limits), but I don't have the exact numbers. It would be interesting to repeat the simulation and take out, say, half of a set of authoritative nameservers during the middle of the test. Duane W.
On Wed, Nov 26, 2003 at 11:31:32AM -0700, Duane Wessels wrote:
In my simulations with 100% packet loss, DNS caches running BIND8, dnscache, W2000, and W2003 all amplified the user's query rates. Only BIND9 attenuated.
pdns_recursor also throttles queries, see http://doc.powerdns.com/x2025.html -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
On Wed, 26 Nov 2003, Arjan Hulsebos wrote:
The Netherlands were hit as well. We saw a massive flood of queries for lockup.zonelabs.com, too. It performed a nice DoS on our client name servers.... :-(
You'd think that an unresponsive nameserver would be flagged dead, and such information be cached. Does anyone know whether that's actually done in Bind 8.3.4? Or perhaps not by default?
BIND9 does this, but it won't prevent clients from still asking the question over and over again. So an ISP with lots of downstream dumb clients (i.e. Windows) will still experience the DOS unless they have sufficient capacity in their DNS servers or rate-limit tcp/udp 53 at their network edge. client -> caching name server -> authoritative name server
participants (4)
-
Arjan Hulsebos
-
bert hubert
-
Duane Wessels
-
Sean Donelan