Re: Sporadic but noticable SERVFAILs in specific nodes of an anycast resolving farm running BIND
Hello, an update with the findings so far: - IPv6 config on the servers was an issue so we removed it and will test further later. There is a hint pointed from various people about a Linux kernel issue and setting (net.ipv6.route.max_size), see https://lists.dns-oarc.net/pipermail/dns-operations/2014-February/011366.html - our main issue was that we were being attacked. Open resolvers in our network were utilized to produce large amounts of queries with random subdomains of specific domains. Analyzing a small capture we noticed the following domains, but the list should not be considered complete I guess www.jxoyjt.com.cn liebiao.81ypf.com yuerengu.com.cn www.lgsf.net www.xxcfsb.com lie.zz85.com www.9009pk.com www.bcbang.com One mitigation approach is to blackhole the domains using local zones. -- Kostas Zorbadelos twitter:@kzorbadeloshttp://gr.linkedin.com/in/kzorba () www.asciiribbon.org - against HTML e-mail & proprietary attachments /\ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sporadic but noticable SERVFAILs in specific nodes of an anycast resolving farm running BIND
On 08 Mar 2014, at 12:52 , Kostas Zorbadelos wrote: > One mitigation approach is to blackhole the domains using local zones. That’s not much of a mitigation. Not having open resolvers would be mitigation. -- Eyes the shady night has shut/Cannot see the record cut And silence sounds no worse than cheers/After earth has stopped the ears. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sporadic but noticable SERVFAILs in specific nodes of an anycast resolving farm running BIND
> > One mitigation approach is to blackhole the domains using local zones. > > That?s not much of a mitigation. Not having open resolvers would be > mitigation. Not having open resolvers is good - but unfortunately doesn't help against misbehaving clients (e.g. small home routers with DNS proxies open to queries from the WAN side). Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
