[nsp] DNS DoS, limiting options

james hackerwacker at cybermesa.com
Sun May 25 22:43:39 EDT 2003


I would like to thank several list members who I have been discussing this issue with, off list.
You know who you are; thanks a bunch. 

I removed any policing I had set up for this and the Perl guys hacked out
a simple nanny script to watch the pid and restart BIND if it failed. Works a treat.  I noticed that
the "DoS" stopped as soon as BIND was restarted. Looking that the binary dumps and BIND logs
at the start of this event it is clear I was confusing cause and effect. Our BIND is older
and a specific query was causing it to fail. Then the "DoS" starts. Not the other way around.  The "DoS" was just 
due to multiple servers getting no answer and asking again and again. New NS'es with up2date
BIND are ready to be tested and deployed. I am working on an anycast solution to tie all the PoP
resolvers together. This will allow us to better separate recursion from authority.

James Edwards
jamesh at cybermesa.com
Routing and Security Administrator





More information about the cisco-nsp mailing list