Re: outgoing-traffic

[Mark Andrews]

In message , Tony Finch 
writes:
> S Carr  wrote:
> >
> > You might want to check whether the requests are legitimate before
> > completely blocking them, rate limiting would be a better option.
> 
> Remember this is TCP traffic.
> 
> RRL is designed to deal with spoofed UDP traffic. It can actually make
> non-spoofed floods worse, because RRL pushes UDP traffic to TCP, and TCP
> is very easy to saturate.
> 
> You might find it helps to avoid truncated responses, e.g. by turning on
> the minimal-responses option. (See also minimal-any in BIND 9.11)

We need to go back to basics.  What question is being ask and is
there a sensible response being returned?  Recursive servers don't
keep asking questions over and over for no reason and this sounds
like that is happening.

> Tony.
> -- 
> f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
> Southeast Iceland: Northerly or northwesterly 5 to 7, occasionally gale 8
> until later in north. Moderate or rough. Occasional rain, fog patches.
> Moderate or good, occasionally very poor.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[Tony Finch]

S Carr  wrote:
>
> You might want to check whether the requests are legitimate before
> completely blocking them, rate limiting would be a better option.

Remember this is TCP traffic.

RRL is designed to deal with spoofed UDP traffic. It can actually make
non-spoofed floods worse, because RRL pushes UDP traffic to TCP, and TCP
is very easy to saturate.

You might find it helps to avoid truncated responses, e.g. by turning on
the minimal-responses option. (See also minimal-any in BIND 9.11)

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Southeast Iceland: Northerly or northwesterly 5 to 7, occasionally gale 8
until later in north. Moderate or rough. Occasional rain, fog patches.
Moderate or good, occasionally very poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[G.W. Haywood]

Hi there,

On Tue, 26 Jul 2016, Ejaz wrote:


There is huge traffic coming out from my DNS server since yesterday and
flooding the IP 212.107.121.110 ...


Are you able to let us see your bind configuration?

This might be IP spoofing, an attempted a DOS attack on the IP.

Is there any reason why that IP should be allowed to query your
nameserver?  If not, then you should change your configuration so
that only those clients who are expected to query the server are
allowed to do so.  The 'acl', 'allow-query' and 'allow-recursion'
directives for the BIND configuration file enable you to do this.

What operating system are you running on your server?  If all else
fails, in most cases it will be trivial to implement a local firewall
rule or two - at least as a temporary measure until the, er, root of
the problem is discovered and solved.  Consider the TARPIT target. :)

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Ejaz]

 

Thanks for all the comments. 

 

One more thing I can control it through rate limit or block whole but the
same thing happened to another network will be problem ?? 

 

See the packet capture from the network device the outgoing traffic passing
from 0 port instead of 53.  Why is that any clue.  I mean bind application
should not all other port instead 53??

 

 

 

Gi0/2 212.119.64.2Gi0/1 212.118.122.99  11  
362K

Gi0/2 212.119.64.3Gi0/1 212.118.122.99  11  
66K

Gi0/2 212.119.64.2Gi0/1 212.118.122.100 11  
375K

Gi0/2 212.119.64.3Gi0/1 212.118.122.100 11  
68K

Gi0/2 212.119.64.2Gi0/1 212.118.122.101 11  
362K

Gi0/2 212.119.64.3Gi0/1 212.118.122.101 11  
66K

 

Thanks in advance for your support. 

 

Ejaz 

 

-Original Message-
From: Tony Finch [mailto:d...@dotat.at] 
Sent: Tuesday, July 26, 2016 11:54 AM
To: Ejaz 
Cc: 'Abdul Khader' ; bind-users@lists.isc.org
Subject: RE: outgoing-traffic

 

Ejaz <  me...@cyberia.net.sa> wrote:

> 

> I am not using iptable  firewall from my redhat Linux box,  all 

> traffic manged by network team..

 

Well then, you should co-operate with them to fix the problem.

 

You might find that it helps to put the following in the options{} section
of named.conf, but I'm not sure if it will be effective against a TCP flood
attack.

 

blackhole { 212.107.121.110; };

 

Tony.

--

f.anthony.n.finch  <  d...@dotat.at>
 http://dotat.at/  -  I xn--zr8h punycode Forties,
Cromarty, Forth, Tyne, Dogger: West or southwest 4 or 5. Slight,
occasionally moderate at first. Rain or showers. Good, occasionally
moderate.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[S Carr]

On 26 July 2016 at 09:53, Tony Finch  wrote:
> Ejaz  wrote:
>>
>> I am not using iptable  firewall from my redhat Linux box,  all traffic
>> manged by network team..

You might want to check whether the requests are legitimate before
completely blocking them, rate limiting would be a better option.

$ dig +noall +answer -x 212.107.121.110
110.121.107.212.in-addr.arpa. 3531 INPTRmail1.alireza.com.sa.

That IP address looks like it belongs to a mail server, and the
alireza.com.sa zone is authoritative on your company's name servers,
so it could be they have simply misconfigured their mailserver.

$ dig +noall +answer alireza.com.sa NS
alireza.com.sa.3468INNSns2.cyberia.net.sa.
alireza.com.sa.3468INNSns1.cyberia.net.sa.

Steve
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Tony Finch]

Ejaz  wrote:
>
> I am not using iptable  firewall from my redhat Linux box,  all traffic
> manged by network team..

Well then, you should co-operate with them to fix the problem.

You might find that it helps to put the following in the options{} section
of named.conf, but I'm not sure if it will be effective against a TCP
flood attack.

blackhole { 212.107.121.110; };

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Forties, Cromarty, Forth, Tyne, Dogger: West or southwest 4 or 5. Slight,
occasionally moderate at first. Rain or showers. Good, occasionally moderate.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Ejaz]

Ok that's fine. But what is  the reason why it is sending such huge traffic
towards particluare IPs,  

Ejaz 

-Original Message-
From: Reindl Harald [mailto:h.rei...@thelounge.net] 
Sent: Tuesday, July 26, 2016 11:36 AM
To: Ejaz ; 'Abdul Khader' ;
bind-users@lists.isc.org
Subject: Re: outgoing-traffic



Am 26.07.2016 um 10:30 schrieb Ejaz:
> I am not using iptable  firewall from my redhat Linux box,  all 
> traffic manged by network team..

what you currently do don't matter- you have a problem and got a solution
(which should be used on any host besides response-rate-limiting independent
if there is a firewall in fron - depth of defense)

> *From:*bind-users [mailto:bind-users-boun...@lists.isc.org] *On Behalf 
> Of *Abdul Khader
> *Sent:* Tuesday, July 26, 2016 11:21 AM
> *To:* bind-users@lists.isc.org
> *Subject:* Re: outgoing-traffic
>
> You can use iptables to rate-limit the IP.
>
>
> On 7/26/2016 12:11 PM, Ejaz wrote:
>
>
>
> All.
>
>
>
> There is huge traffic coming out from my DNS server since yesterday
> and flooding the IP 212.107.121.110, though I have increased the
> limitation of tcp-clients in named.conf but still the issue.  any
> help would be highly appreciate.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Ejaz]

 

I am not using iptable  firewall from my redhat Linux box,  all traffic
manged by network team.. 

 

Ejaz 

 

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
Abdul Khader
Sent: Tuesday, July 26, 2016 11:21 AM
To: bind-users@lists.isc.org
Subject: Re: outgoing-traffic

 

You can use iptables to rate-limit the IP.

 

On 7/26/2016 12:11 PM, Ejaz wrote:

 

All. 

 

There is huge traffic coming out from my DNS server since yesterday and
flooding the IP 212.107.121.110, though I have increased the limitation of
tcp-clients in named.conf but still the issue.  any help would be highly
appreciate.

 

 

My bind version is 

 

[root@ns10 ~]# named -v

BIND 9.9.2-P1

 

 

 

When checking  there are several entries as below. 

 

Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more TCP
clients: quota reached

quota reached

Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4571: no more TCP
clients: quota reached

Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4572: no more TCP
clients: quota reached

Jul 26 10:53:19 ns10 named[3004]: client 212.107.121.110#4597: no more TCP
clients: quota reached

Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4633: no more TCP
clients: quota reached

Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4635: no more TCP
clients: quota reached

Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more TCP
clients: quota reached

 

Thanks,

Mohammed Ejaz

Asst. Operation Director of Systems.

Cyberia SAUDI ARABIA

P.O.Box: 301079, Riyadh 11372

Phone:  (+966) 11 464 7114 Ext. 140

Mobile:  (+966) 562311787

Fax:  (+966) 11 465 4735

Website: http://www.cyberia.net.sa

 






___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
 
bind-users mailing list
bind-users@lists.isc.org  
https://lists.isc.org/mailman/listinfo/bind-users

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[Abdul Khader]

You can use iptables to rate-limit the IP.



On 7/26/2016 12:11 PM, Ejaz wrote:


All.

There is huge traffic coming out from my DNS server since yesterday 
and flooding the IP 212.107.121.110, though I have increased the 
limitation of tcp-clients in named.conf but still the issue.  any help 
would be highly appreciate.


My bind version is

[root@ns10 ~]# named -v

BIND 9.9.2-P1

When checking  there are several entries as below.

Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more 
TCP clients: quota reached


quota reached

Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4571: no more 
TCP clients: quota reached


Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4572: no more 
TCP clients: quota reached


Jul 26 10:53:19 ns10 named[3004]: client 212.107.121.110#4597: no more 
TCP clients: quota reached


Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4633: no more 
TCP clients: quota reached


Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4635: no more 
TCP clients: quota reached


Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more 
TCP clients: quota reached


Thanks,

Mohammed Ejaz

Asst. Operation Director of Systems.

Cyberia SAUDI ARABIA

P.O.Box: 301079, Riyadh 11372

Phone:  (+966) 11 464 7114 Ext. 140

Mobile:  (+966) 562311787

Fax:  (+966) 11 465 4735

Website: http://www.cyberia.net.sa



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Overriding TTL per resource-record on slave

[Matus UHLAR - fantomas]

On 26.07.16 00:27, blrmaani wrote:

Sorry for not being clear. Our DNS server scrapes entries from a database
and creates a DNS zone entries.  Our DNS server is configured as a DNS
master i.e type=master in BIND config for this zone.

The database is the source of truth for DNS hosts which are in multiple
locations and we do not want to modify per resource-record TTL value in
the database since it impacts all locations.

Our DNS server needs to customized such that TTL values for few 'special'
records needs to be customized.

How do I modify per resource-record TTL on our DNS master?


since all resource records have their own TTL, you can simply give those
you want lover TTL than the others.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

outgoing-traffic

[Ejaz]

 

All. 

 

There is huge traffic coming out from my DNS server since yesterday and
flooding the IP 212.107.121.110, though I have increased the limitation of
tcp-clients in named.conf but still the issue.  any help would be highly
appreciate.

 

 

My bind version is 

 

[root@ns10 ~]# named -v

BIND 9.9.2-P1

 

 

 

When checking  there are several entries as below. 

 

Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more TCP
clients: quota reached

quota reached

Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4571: no more TCP
clients: quota reached

Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4572: no more TCP
clients: quota reached

Jul 26 10:53:19 ns10 named[3004]: client 212.107.121.110#4597: no more TCP
clients: quota reached

Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4633: no more TCP
clients: quota reached

Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4635: no more TCP
clients: quota reached

Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more TCP
clients: quota reached

 

Thanks,

Mohammed Ejaz

Asst. Operation Director of Systems.

Cyberia SAUDI ARABIA

P.O.Box: 301079, Riyadh 11372

Phone:  (+966) 11 464 7114 Ext. 140

Mobile:  (+966) 562311787

Fax:  (+966) 11 465 4735

Website: http://www.cyberia.net.sa

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9 API & GUI

[Phil Mayers]

On 26/07/16 01:40, /dev/rob0 wrote:


Features which would work well behind a GUI frontend exist, and more
are coming in BIND 9.11.  See the rndc(8) manual and the various
commands it has.


To expand on this - the catalog zones in bind 9.11 should permit in-band 
provisioning of new DNS zones. Once the initial server is setup, all 
config and data changes can be done via DDNS from that point forward, AIUI

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Overriding TTL per resource-record on slave

[blrmaani]

Sorry for not being clear. Our DNS server scrapes entries from a database and 
creates a DNS zone entries. Our DNS server is configured as a DNS master i.e 
type=master in BIND config for this zone.

The database is the source of truth for DNS hosts which are in multiple 
locations and we do not want to modify per resource-record TTL value in the 
database since it impacts all locations.

Our DNS server needs to customized such that TTL values for few 'special' 
records needs to be customized.

How do I modify per resource-record TTL on our DNS master?


On Tuesday, July 26, 2016 at 11:14:19 AM UTC+5:30, blrmaani wrote:
> We slave a zone and would like to override default TTL for bunch of 
> resource-records. What is the right way to do it?
> 
> For example, here are few records for which we have to customize TTLs:
> 
> host1.zone1.com.:
>   default_ttl = 300 
>   preferred_ttl = 3600
> 
> host2.zone1.com: 
>   default_ttl = 300
>   preferred_ttl = 86400
> 
> Since we want these preferred TTL values only for few regions, we don't want 
> to make changes on our hidden master and prefer to do it on the slave sitting 
> in a specific region.
> 
> My Idea is to run a dynamic update (nsupdate) wrapper script to update TTL 
> entries for desired resource-records on our slave. Is there a better way to 
> achieve this?
> 
> thanks
> Blr

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Overriding TTL per resource-record on slave

[Matus UHLAR - fantomas]

On 25.07.16 22:44, blrmaani wrote:

We slave a zone and would like to override default TTL for bunch of
resource-records.  What is the right way to do it?


there's no "default TTL" on recourse records, there's only TTL on resource
records, and the "default TTL" on master server, that uses it for any
resource without explicitly configured TTL.


For example, here are few records for which we have to customize TTLs:

host1.zone1.com.:
 default_ttl = 300
 preferred_ttl = 3600

host2.zone1.com:
 default_ttl = 300
 preferred_ttl = 86400


this does not make sense.


My Idea is to run a dynamic update (nsupdate) wrapper script to update TTL
entries for desired resource-records on our slave.  Is there a better way
to achieve this?


your slave will only forward the update to master. 


Your description does not make sense, what exactly do you want to achieve?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users