#1  
Old 5th July 2012, 22:47
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 8 Times in 7 Posts
Exclamation Bind9 all traffic usage

Hello!

I have a problem today with my server.
Server use all outboard traffic.
in iptraf I see UDP connections (UDP port 1, 2, 4, 53) from my server.
in tcpdump port 53 i see a lot of traffic to ripe.net
and RRSIG, DNSKEY.

How to solve this problem?

Big thnks.

I have Debian 6.05 and ISPCOnfig 3 final.
Reply With Quote
Sponsored Links
  #2  
Old 6th July 2012, 10:11
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,009
Thanks: 840
Thanked 5,651 Times in 4,461 Posts
Default

Edit the file /etc/bind/named.conf.options and add the line:

allow-recursion { 127.0.0.1; };


in the options {
.....
}

section. Then restart bind.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 6th July 2012, 12:40
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 8 Times in 7 Posts
Default

The same.

in tcpdump port 53 a lot of:
Code:
12:35:26.830399 IP 192.168.1.1.6 > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
12:35:26.831033 IP 192.168.1.1.discard > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
12:35:26.831269 IP srv.mydomain.com.domain > 192.168.1.1.8: 952- 0/13/1 (245)
12:35:26.836900 IP srv.mydomain.com.domain > 192.168.1.1.2: 952- 0/13/1 (245)
12:35:26.841511 IP 192.168.1.1.echo > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
12:35:26.842291 IP srv.mydomain.com.domain > 192.168.1.1.2: 952- 0/13/1 (245)
12:35:26.842576 IP 192.168.1.1.domain > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
12:35:26.843073 IP 192.168.1.1.10 > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
12:35:26.843992 IP 192.168.1.1.5 > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
And trafic is maximum.
Reply With Quote
  #4  
Old 6th July 2012, 12:45
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,009
Thanks: 840
Thanked 5,651 Times in 4,461 Posts
Default

Try to set:

allow-recursion { none; };

to disallow all recursive queries. As the queries come all from your local network and not a external server, you should check the computers in your network for viruses.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 6th July 2012, 13:48
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 8 Times in 7 Posts
Default

recursion none did not help.

192.168.1.1 it is router IP address.
It goes from internet to the 53 port on my router as I understand.
Reply With Quote
  #6  
Old 9th July 2012, 11:40
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,009
Thanks: 840
Thanked 5,651 Times in 4,461 Posts
Default

Ok, so these queries are no recursive queries for domains on your server then when I assume that you added the option correctly. Then you can only close port 53 in your firewall if your connection is not able to handle the number of requests for your domains and get a server with a faster connection for your dns services or use the dns server of the company were you get the domains from.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
Captain (9th July 2012)
  #7  
Old 10th July 2012, 13:14
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 8 Times in 7 Posts
 
Default

We solved this porblem by blocking IP address in ISP Provider router.
It was DNS flood.

But now we have DNS flood aprx. 200-300 kbyte. It is not a problem.

But we have many named denied lines in log files (syslog and messages).
How we can to reduce this logs with ripe.net denied?

Thank you Till.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Traffic quota and mail traffic Davide General 2 10th January 2011 14:21
Routing - Forward all traffic to an ip to another ip bsgcic Installation/Configuration 0 25th July 2010 12:26
Squid Proxy Caching on Linux obzerver Installation/Configuration 4 13th August 2008 20:51
WEBALIZER FTP TRAFFIC CONT in WEB TRAFFIC dloopsrl Installation/Configuration 3 20th September 2006 18:39
Traffic Limit katschi Feature Requests 2 17th August 2005 00:40


All times are GMT +2. The time now is 14:33.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.