#1  
Old 5th July 2012, 21:47
Captain Captain is offline
Senior Member
  
Join Date: Feb 2009
Posts: 249
Thanks: 71
Thanked 5 Times in 4 Posts
Exclamation Bind9 all traffic usage
Hello!

I have a problem today with my server.
Server use all outboard traffic.
in iptraf I see UDP connections (UDP port 1, 2, 4, 53) from my server.
in tcpdump port 53 i see a lot of traffic to ripe.net
and RRSIG, DNSKEY.

How to solve this problem?

Big thnks.

I have Debian 6.05 and ISPCOnfig 3 final.
Reply With Quote
Sponsored Links
  #2  
Old 6th July 2012, 09:11
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,872
Thanks: 689
Thanked 4,184 Times in 3,202 Posts
Default
Edit the file /etc/bind/named.conf.options and add the line:

allow-recursion { 127.0.0.1; };


in the options {
.....
}

section. Then restart bind.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 6th July 2012, 11:40
Captain Captain is offline
Senior Member
  
Join Date: Feb 2009
Posts: 249
Thanks: 71
Thanked 5 Times in 4 Posts
Default
The same.

in tcpdump port 53 a lot of:
Code:
12:35:26.830399 IP 192.168.1.1.6 > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
12:35:26.831033 IP 192.168.1.1.discard > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
12:35:26.831269 IP srv.mydomain.com.domain > 192.168.1.1.8: 952- 0/13/1 (245)
12:35:26.836900 IP srv.mydomain.com.domain > 192.168.1.1.2: 952- 0/13/1 (245)
12:35:26.841511 IP 192.168.1.1.echo > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
12:35:26.842291 IP srv.mydomain.com.domain > 192.168.1.1.2: 952- 0/13/1 (245)
12:35:26.842576 IP 192.168.1.1.domain > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
12:35:26.843073 IP 192.168.1.1.10 > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
12:35:26.843992 IP 192.168.1.1.5 > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
And trafic is maximum.
Reply With Quote
  #4  
Old 6th July 2012, 11:45
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,872
Thanks: 689
Thanked 4,184 Times in 3,202 Posts
Default
Try to set:

allow-recursion { none; };

to disallow all recursive queries. As the queries come all from your local network and not a external server, you should check the computers in your network for viruses.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 6th July 2012, 12:48
Captain Captain is offline
Senior Member
  
Join Date: Feb 2009
Posts: 249
Thanks: 71
Thanked 5 Times in 4 Posts
Default
recursion none did not help.

192.168.1.1 it is router IP address.
It goes from internet to the 53 port on my router as I understand.
Reply With Quote
  #6  
Old 9th July 2012, 10:40
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,872
Thanks: 689
Thanked 4,184 Times in 3,202 Posts
Default
Ok, so these queries are no recursive queries for domains on your server then when I assume that you added the option correctly. Then you can only close port 53 in your firewall if your connection is not able to handle the number of requests for your domains and get a server with a faster connection for your dns services or use the dns server of the company were you get the domains from.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
Captain (9th July 2012)
  #7  
Old 10th July 2012, 12:14
Captain Captain is offline
Senior Member
  
Join Date: Feb 2009
Posts: 249
Thanks: 71
Thanked 5 Times in 4 Posts
 
Default
We solved this porblem by blocking IP address in ISP Provider router.
It was DNS flood.

But now we have DNS flood aprx. 200-300 kbyte. It is not a problem.

But we have many named denied lines in log files (syslog and messages).
How we can to reduce this logs with ripe.net denied?

Thank you Till.
Reply With Quote
Reply

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Traffic quota and mail traffic Davide General 2 10th January 2011 13:21
Routing - Forward all traffic to an ip to another ip bsgcic Installation/Configuration 0 25th July 2010 11:26
Squid Proxy Caching on Linux obzerver Installation/Configuration 4 13th August 2008 19:51
WEBALIZER FTP TRAFFIC CONT in WEB TRAFFIC dloopsrl Installation/Configuration 3 20th September 2006 17:39
Traffic Limit katschi Feature Requests 2 16th August 2005 23:40


All times are GMT +2. The time now is 15:12.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.