On 23.09.24 08:07, Peter Davies wrote:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
*From: *"Nagesh Thati" <tcpnag...@gmail.com>
*To: *"bind-users" <bind-users@lists.isc.org>
*Sent: *Monday, 23 September, 2024 07:48:32
*Subject: *Assistance Needed: "Too Many Records" Error When Reloading Zone 
`example.com`, BIND: 9.18.29

Hi BIND Community,
[...]

*`general.log` Output:*
23-Sep-2024 10:33:48.625 general: info: received control channel command 'reload 
example.com <http://example.com>'
23-Sep-2024 10:33:48.625 general: debug 1: zone_startload: zone example.com/IN 
<http://example.com/IN>: enter
23-Sep-2024 10:33:48.629 general: error: dns_master_load: 
/var/named/zones/db.example.com:995 <http://db.example.com:995>: text.example.com 
<http://text.example.com>: too many records

*Zone File Excerpt (Line 995):*
990 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset 
ID: 209 for us-lcm-01.example.com <http://us-lcm-01.example.com>. created on 2024-05-28"
991 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset 
ID: 211 for us-vra.example.com <http://us-vra.example.com>. created on 2024-05-28"
992 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset 
ID: 212 for us-vdm.example.com <http://us-vdm.example.com>. created on 2024-05-28"
993 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset 
ID: 217 for us-twlcm-01.example.com <http://us-twlcm-01.example.com>. created on 
2024-05-28"
994 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset 
ID: 220 for us-lcm-02.example.com <http://us-lcm-02.example.com>. created on 2024-05-29"
*995 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset 
ID: 225 for us-dev-remote-50.example.com <http://us-dev-remote-50.example.com>. created on 
2024-05-29"*
996 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset 
ID: 228 for us-vdm-02.example.com <http://us-vdm-02.example.com>. created on 2024-05-29"
997 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset 
ID: 230 for us-lcm-03.example.com <http://us-lcm-03.example.com>. created on 2024-05-29"
998 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset 
ID: 235 for us-dev-remote-51.example.com <http://us-dev-remote-51.example.com>. created on 
2024-05-29"
999 text.example.com <http://text.example.com>. 5000 IN TXT "Example Infrastructure Asset 
ID: 240 for us-twlcm-02.example.com <http://us-twlcm-02.example.com>. created on 
2024-05-29"



On 23.09.24 09:30, Petr Špaček wrote:
>> *Request for Assistance:*
>> 1. _Understanding the Limit:_ Is there a configurable limit in BIND that 
restricts the number of records per zone? If so, how can we adjust this limit to 
accommodate our current zone size?
>
> Albeit you can adjust configuration to allow more records in one place it is 
not recommended. Doing so opens possibility of DoS attacks.



Hi Nagesh,

I think a better option would be to convert the RRs

text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 209 for 
us-lcm-01.example.com. created on 2024-05-28"

to something like

us-lcm-01.text.example.com. 5000 IN TXT "Example Infrastructure Asset ID: 209 for 
us-lcm-01.example.com. created on 2024-05-28"

since the discovery of the real name of text.example.com (if this is 
requestable from unvalidated source IP addresses - almost any source IP address 
in
the "internet" has to be considered unvalidated - since there is no applicable 
way to validate foreign source addresses on autonomous system interconnects,
yet) will make it possible to abuse this RRs for a DoS amplification attack 
against third parties (the real owners of the forged source IPs).

The attacker just needs to send requests for text.example.com IN TXT with the 
forged IP of the victim, and the victim will get your hundreds of TXT records
under this name from your server for each of them.

But depending of the origin or use of this records this might be difficult. ;-)

Kind regards,
        Lars


--
Lars Kollstedt

Telefon: +49 6151 16-71027
E-Mail:  l...@man-da.de

man-da.de GmbH
Dolivostraße 11
64293 Darmstadt

Sitz der Gesellschaft: Darmstadt
Registergericht: Amtsgericht Darmstadt
Handelsregisternummer: HRB 9484
Geschäftsführer: Andreas Ebert
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to