Re: DOS of named
Hi!
> what measures can I take against this irregular appearing Denial-Of-Service
> attacks of named which is filling my logfiles (messages, daemon, all.log)
> with messages like "sysquery: no addrs found for root NS" for minutes
> at a rate of 4000 lines/sec?
Here's what I have done on my FreeBSD 4.8 machines.
Put the following in /etc/namedb/named.conf:
---< cut >---
logging {
channel everything {
file "/var/log/named"
versions 5
size 4m;
severity info;
print-category no;
print-severity yes;
print-time yes;
};
category default {
everything;
};
};
---< cut >---
This, as you understand, configures named to log it's messages to file
/var/log/named (bypassing syslogd), doesn't allow the log file to grow
larger than 4 MB and keeps 5 previous versions of the file.
The errors still happen, but at least your /var partition won't fill
up.
> Thus, nothing to solve the problem or to find the true cause.
I've gone through the same path you have, with similar results. It is
interesting to mention that I have three servers (now
4.8-RELEASE-p13) running named (from base system) on FreeBSD, two of
them using ISP A and one using ISP B (respective ISP's name servers
configured as forwarders in named.conf). The problem happens with both
servers behind ISP A, but has never happened to the one behind ISP B.
--
Toomas Aas | [EMAIL PROTECTED] | http://www.raad.tartu.ee/~toomas/
* Tell me what you need, and I'll tell you how to get along without it.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: DOS of named
# [EMAIL PROTECTED] / 2003-12-16 22:01:33 +0100: > PS: BTW, is there a search engine on freebsd.org for the archives or > do I have to stay with google, which becomes less usable each day?) another option is marc.theaimsgroup.com -- If you cc me or remove the list(s) completely I'll most likely ignore your message.see http://www.eyrie.org./~eagle/faqs/questions.html ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: DOS of named
On Thu, Dec 18, 2003 at 04:26:18PM +0100, Miguel Mendez wrote: > ./Kris Kennaway wrote: > > > I was; if you're complaining about bugs in old versions of the > > software, then the first thing to do is check whether those bugs have > > been fixed in later versions. Not all bug fixes are properly > > documented. > > See > ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-018.txt.asc > > Apparently, the NetBSD security team does fix those bugs, so I assume > the FreeBSD people can as well. Sorry, what was your point? This bug was fixed in FreeBSD too, as you could have discovered by spending 10 seconds to look at the advisories. But we weren't talking about this one, because the OP claimed to have checked the BIND ChangeLogs and found that his problem had not been referenced. > > OK, so you've done some further research about this (or just omitted > > this from the original message). The BIND mailing list may still be > > your best bet for discussion of this issue, despite previous lack of > > solution there. > > FreeBSD is the vendor in this case, as bind is part of base, so it's > FreeBSD people the ones to ask about the product they ship. He's welcome to ask, but my advice was that BIND experts are lower on the ground here than on the BIND support list. Kris pgp0.pgp Description: PGP signature
Re: DOS of named
./Kris Kennaway wrote: > I was; if you're complaining about bugs in old versions of the > software, then the first thing to do is check whether those bugs have > been fixed in later versions. Not all bug fixes are properly > documented. See ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-018.txt.asc Apparently, the NetBSD security team does fix those bugs, so I assume the FreeBSD people can as well. > OK, so you've done some further research about this (or just omitted > this from the original message). The BIND mailing list may still be > your best bet for discussion of this issue, despite previous lack of > solution there. FreeBSD is the vendor in this case, as bind is part of base, so it's FreeBSD people the ones to ask about the product they ship. Cheers, -- Miguel Mendez <[EMAIL PROTECTED]> http://www.energyhq.es.eu.org PGP Key: 0xDC8514F1 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: DOS of named
On Thu, Dec 18, 2003 at 12:58:41PM +0100, Robert Eckardt wrote: > On Tue, 16 Dec 2003 20:28:10 -0800, Kris Kennaway wrote > > On Tue, Dec 16, 2003 at 10:01:33PM +0100, Robert Eckardt wrote: > > > Hi, > > > > > > what measures can I take against this irregular appearing Denial-Of-Service > > > attacks of named which is filling my logfiles (messages, daemon, all.log) > > > with messages like "sysquery: no addrs found for root NS" for minutes at > > > a rate of 4000 lines/sec? > > > > > > I'm using named 8.3.3-REL on FBSD-5.0R. > > > > Both are very old and have a number of known problems. Upgrade to > > the latest versions. > > Hi Kris, > > You can't be serious. :-) I was; if you're complaining about bugs in old versions of the software, then the first thing to do is check whether those bugs have been fixed in later versions. Not all bug fixes are properly documented. > And as far as named is concerned: From looking at the discussion > on their mailing list this problem happens for a wide variety of > releases on different operating systems, but with no one having > the intention to fix it. (I even found the question I asked more > than 7 years ago on this list to the very same problem. At that > time the computers just weren't fast enough to write 4000 lines/sec.) > Thus, I cannot accept the simple call for the new release. OK, so you've done some further research about this (or just omitted this from the original message). The BIND mailing list may still be your best bet for discussion of this issue, despite previous lack of solution there. Kris pgp0.pgp Description: PGP signature
Re: DOS of named
On Tue, 16 Dec 2003 20:28:10 -0800, Kris Kennaway wrote > On Tue, Dec 16, 2003 at 10:01:33PM +0100, Robert Eckardt wrote: > > Hi, > > > > what measures can I take against this irregular appearing Denial-Of-Service > > attacks of named which is filling my logfiles (messages, daemon, all.log) > > with messages like "sysquery: no addrs found for root NS" for minutes at > > a rate of 4000 lines/sec? > > > > I'm using named 8.3.3-REL on FBSD-5.0R. > > Both are very old and have a number of known problems. Upgrade to > the latest versions. Hi Kris, You can't be serious. :-) I know that my release isn't at the front of development. But 5.0R is the latest release known to work on my EPoX MB with a HighPoint 372N controller. (I don't want to test every new release, when there is no indication of change in support for my RAID controller.) And as far as named is concerned: From looking at the discussion on their mailing list this problem happens for a wide variety of releases on different operating systems, but with no one having the intention to fix it. (I even found the question I asked more than 7 years ago on this list to the very same problem. At that time the computers just weren't fast enough to write 4000 lines/sec.) Thus, I cannot accept the simple call for the new release. Instead I hope for a solution to the problem. (Do you install the chinese X-fonts when you have a problem with your FCAL controller just because SUN says that the patch isn't up-to-date? I don't. I read the relaes notes.) I didn't mean to apear rude. Regards, Robert ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
mailing list search (WAS: DOS of named)
"Robert Eckardt" <[EMAIL PROTECTED]> writes: > > PS: BTW, is there a search engine on freebsd.org for the archives or > do I have to stay with google, which becomes less usable each day?) > You can use http://freebsd.rambler.ru/ -- Dan Pelleg ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: DOS of named
On Tue, Dec 16, 2003 at 10:01:33PM +0100, Robert Eckardt wrote: > Hi, > > what measures can I take against this irregular appearing Denial-Of-Service > attacks of named which is filling my logfiles (messages, daemon, all.log) > with messages like "sysquery: no addrs found for root NS" for minutes at > a rate of 4000 lines/sec? > > I'm using named 8.3.3-REL on FBSD-5.0R. Both are very old and have a number of known problems. Upgrade to the latest versions. Kris pgp0.pgp Description: PGP signature
DOS of named
Hi, what measures can I take against this irregular appearing Denial-Of-Service attacks of named which is filling my logfiles (messages, daemon, all.log) with messages like "sysquery: no addrs found for root NS" for minutes at a rate of 4000 lines/sec? I'm using named 8.3.3-REL on FBSD-5.0R. There is no indication that ipfw is blocking anything as denied packets are logged by default. (Well, at least not from any name servers.) This phenomenon happens irregularly after a few days/weeks/months. This last event, for example, happend after 4 days uptime, the one before after over 42 days. Searching in the archives pointed me to a) some issue with the named.cache file which I updated weeks ago and which is still up-to-date b) the firewall blocking the answer from a root-server (see above) c) and of course the arrogance of a developer suggesting to use a larger filesystem for logs as nothing is wrong with an application logging every error. Thus, nothing to solve the problem or to find the true cause. An "nslookup 198.41.0.4 a.root-servers.net." produces Authoritative answers can be found from: 198.in-addr.arpanameserver = chia.ARIN.NET 198.in-addr.arpanameserver = dill.ARIN.NET 198.in-addr.arpanameserver = henna.ARIN.NET 198.in-addr.arpanameserver = indigo.ARIN.NET 198.in-addr.arpanameserver = epazote.ARIN.NET 198.in-addr.arpanameserver = figwort.ARIN.NET 198.in-addr.arpanameserver = ginseng.ARIN.NET *** Can't find server name for address 198.41.0.4: No information *** Default servers are not available Tcpdump shows the following transfer, nothing more: tcpdump: listening on tun0 20:47:47.288874 80.128.176.76.63384 > 198.41.0.4.domain: 18833+ PTR? 4.0.41.198.in-addr.arpa. (41) 0x 4500 0045 9dbf 4011 15ef 5080 b04c[EMAIL PROTECTED] 0x0010 c629 0004 f798 0035 0031 0b4a 4991 0100.).5.1.JI... 0x0020 0001 0134 0130 0234 3103.4.0.41. 0x0030 3139 3807 696e 2d61 6464 7204 6172 7061198.in-addr.arpa 0x0040 0c00 01 . 20:47:47.443400 198.41.0.4.domain > 80.128.176.76.63384: 18833- 0/7/0 (194) (DF) 0x 4500 00de 4000 3411 7f15 c629 0004[EMAIL PROTECTED]).. 0x0010 5080 b04c 0035 f798 00ca 7663 4991 8100P..L.5vcI... 0x0020 0001 0007 0134 0130 0234 3103.4.0.41. 0x0030 3139 3807 696e 2d61 6464 7204 6172 7061198.in-addr.arpa 0x0040 0c00 01c0 1300 0200 0100 0151 8000.Q.. 0x0050 0f04 6368 6961 0441 5249 4e03 4e45 5400..chia.ARIN.NET. 0x0060 c013 0002 0001 0001 5180 0007 0464 696cQdil 0x0070 6cc0 3ac0 1300 0200 0100 0151 8000 0805l.:Q 0x0080 6865 6e6e 61c0 3ac0 1300 0200 0100 0151henna.:Q 0x0090 8000 0906 696e 6469 676f c03a c013 0002indigo.: 0x00a0 0001 0001 5180 000a 0765 7061 7a6f 7465Qepazote 0x00b0 c03a c013 0002 0001 0001 5180 000a 0766.:Qf 0x00c0 6967 776f 7274 c03a c013 0002 0001 0001igwort.: 0x00d0 5180 000a 0767 696e 7365 6e67 c03a Qginseng.: ^C Thanks in advance, Robert PS: BTW, is there a search engine on freebsd.org for the archives or do I have to stay with google, which becomes less usable each day?) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
