Re: Malicious DNS request?
Paul, I'm sorry if this is JUST to BIND or some other specific software. But, IMHO this is just a sample that requests which only generate NXDOMAIN responds. According to someone's presentation on NANOG ("DNS anomailies and their impact on DNS Cache Server" ), such record may be type of attack. If we only rely on cacheing to remove paient of CPU time, cache server load will be increased. So, what I'm tryting to ask is , is there some mechanism proposed to deal with such problem? BIND is just a sample. joe --- Paul Vixie <vixie@vix.com> wrote:
joe_hznm@yahoo.com.sg (Joe Shen) writes:
I'm using BIND9.2.5 & BIND9.3.1 on two Solaris box, each box has two CPUs installed. it's found BIND8.4.6 running on one CPU could reach the throughput of BIND9.*.* running on two CPUs.
Could we improve server throughput or lower lower the effect of those requests on NXDOMAIN?
yes. but "we" isn't nanog. can you take your bind-specific questions to a bind-related mailing list or newsgroup? www.isc.org has pointers. -- Paul Vixie
__________________________________________________ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
At 8:45 AM +0800 2005-05-18, Joe Shen wrote:
I'm sorry if this is JUST to BIND or some other specific software. But, IMHO this is just a sample that requests which only generate NXDOMAIN responds.
Do a DNS query for slartibartfastisacharacterinamoviewrittenbydouglasadamsthathasnotgottenverygoodreviewslatelyandisbasedontheoriginalBBCradioshowandtheresultingBBCtvminiseries.com, and you'll probably get an NXDOMAIN. Indeed, query for any other non-existent domain, and you'll get an NXDOMAIN response. That's what it means.
According to someone's presentation on NANOG ("DNS anomailies and their impact on DNS Cache Server" ), such record may be type of attack.
NXDOMAIN == Attack? Please show me how you arrive at that logic.
If we only rely on cacheing to remove paient of CPU time, cache server load will be increased. So, what I'm tryting to ask is , is there some mechanism proposed to deal with such problem? BIND is just a sample.
Well, only caching servers have to worry about getting an NXDOMAIN response back. Authoritative-only servers may have to worry about sending them out, but that's pretty cheap. Indeed, it's pretty cheap for the caching servers to handle getting them. Yes, bad clients can abuse either caching servers or authoritative-only servers by doing things that result in a lot of NXDOMAIN responses, but that falls in the category of the programmers doing whatever is possible to protect themselves and their code against whatever kind of abuse gets hurled at them by poorly-behaved clients. As far as that goes, that's a generic problem, and in the case of nameservers there are appropriate places to discuss this sort of thing -- such as the namedroppers mailing list. Now, if you want to drag BIND into this picture as a specific example, there are appropriate places to discuss that, too -- such as the bind-users mailing list, or maybe one of the developer-oriented BIND mailing lists. But none of these places are NANOG, and this discussion doesn't belong here -- either in the general case of nameservers, or in the specific case of BIND. -- Brad Knowles, <brad@stop.mail-abuse.org> "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See <http://www.sage.org/> for more info.
participants (2)
-
Brad Knowles
-
Joe Shen