Bind9 all traffic usage

Discussion in 'Installation/Configuration' started by Captain, Jul 5, 2012.

  1. Captain

    Captain Member


    I have a problem today with my server.
    Server use all outboard traffic.
    in iptraf I see UDP connections (UDP port 1, 2, 4, 53) from my server.
    in tcpdump port 53 i see a lot of traffic to
    and RRSIG, DNSKEY.

    How to solve this problem?

    Big thnks.

    I have Debian 6.05 and ISPCOnfig 3 final.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Edit the file /etc/bind/named.conf.options and add the line:

    allow-recursion {; };

    in the options {

    section. Then restart bind.
  3. Captain

    Captain Member

    The same.

    in tcpdump port 53 a lot of:
    12:35:26.830399 IP > 952+ [1au] ANY? (38)
    12:35:26.831033 IP > 952+ [1au] ANY? (38)
    12:35:26.831269 IP > 952- 0/13/1 (245)
    12:35:26.836900 IP > 952- 0/13/1 (245)
    12:35:26.841511 IP > 952+ [1au] ANY? (38)
    12:35:26.842291 IP > 952- 0/13/1 (245)
    12:35:26.842576 IP > 952+ [1au] ANY? (38)
    12:35:26.843073 IP > 952+ [1au] ANY? (38)
    12:35:26.843992 IP > 952+ [1au] ANY? (38)
    And trafic is maximum.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to set:

    allow-recursion { none; };

    to disallow all recursive queries. As the queries come all from your local network and not a external server, you should check the computers in your network for viruses.
  5. Captain

    Captain Member

    recursion none did not help. it is router IP address.
    It goes from internet to the 53 port on my router as I understand.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so these queries are no recursive queries for domains on your server then when I assume that you added the option correctly. Then you can only close port 53 in your firewall if your connection is not able to handle the number of requests for your domains and get a server with a faster connection for your dns services or use the dns server of the company were you get the domains from.
  7. Captain

    Captain Member

    We solved this porblem by blocking IP address in ISP Provider router.
    It was DNS flood.

    But now we have DNS flood aprx. 200-300 kbyte. It is not a problem.

    But we have many named denied lines in log files (syslog and messages).
    How we can to reduce this logs with denied?

    Thank you Till.

Share This Page