Bind9 all traffic usage

Discussion in 'Installation/Configuration' started by Captain, Jul 5, 2012.

  1. Captain

    Captain New Member

    Hello!

    I have a problem today with my server.
    Server use all outboard traffic.
    in iptraf I see UDP connections (UDP port 1, 2, 4, 53) from my server.
    in tcpdump port 53 i see a lot of traffic to ripe.net
    and RRSIG, DNSKEY.

    How to solve this problem?

    Big thnks.

    I have Debian 6.05 and ISPCOnfig 3 final.
     
  2. till

    till Super Moderator

    Edit the file /etc/bind/named.conf.options and add the line:

    allow-recursion { 127.0.0.1; };


    in the options {
    .....
    }

    section. Then restart bind.
     
  3. Captain

    Captain New Member

    The same.

    in tcpdump port 53 a lot of:
    Code:
    12:35:26.830399 IP 192.168.1.1.6 > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
    12:35:26.831033 IP 192.168.1.1.discard > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
    12:35:26.831269 IP srv.mydomain.com.domain > 192.168.1.1.8: 952- 0/13/1 (245)
    12:35:26.836900 IP srv.mydomain.com.domain > 192.168.1.1.2: 952- 0/13/1 (245)
    12:35:26.841511 IP 192.168.1.1.echo > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
    12:35:26.842291 IP srv.mydomain.com.domain > 192.168.1.1.2: 952- 0/13/1 (245)
    12:35:26.842576 IP 192.168.1.1.domain > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
    12:35:26.843073 IP 192.168.1.1.10 > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
    12:35:26.843992 IP 192.168.1.1.5 > srv.mydomain.com.domain: 952+ [1au] ANY? ripe.net. (38)
    
    
    And trafic is maximum.
     
  4. till

    till Super Moderator

    Try to set:

    allow-recursion { none; };

    to disallow all recursive queries. As the queries come all from your local network and not a external server, you should check the computers in your network for viruses.
     
  5. Captain

    Captain New Member

    recursion none did not help.

    192.168.1.1 it is router IP address.
    It goes from internet to the 53 port on my router as I understand.
     
  6. till

    till Super Moderator

    Ok, so these queries are no recursive queries for domains on your server then when I assume that you added the option correctly. Then you can only close port 53 in your firewall if your connection is not able to handle the number of requests for your domains and get a server with a faster connection for your dns services or use the dns server of the company were you get the domains from.
     
  7. Captain

    Captain New Member

    We solved this porblem by blocking IP address in ISP Provider router.
    It was DNS flood.

    But now we have DNS flood aprx. 200-300 kbyte. It is not a problem.

    But we have many named denied lines in log files (syslog and messages).
    How we can to reduce this logs with ripe.net denied?

    Thank you Till.
     

Share This Page