Vulnerability Development mailing list archives

Re: Bind recursive queries quota.

From: Guanglong Zhang <glzhang () 21cn com>
Date: Sat, 20 Jul 2002 09:56:25 +0800

Hello Robert,

Hm....£¬I meet the same problem of bind9 recursive queries DOS.
Does anyone have solution?

Saturday, July 20, 2002, 1:27:19 AM, you wrote:
Robert Buckley> Howdy,
Robert Buckley>         Does anyone have any information about exploiting binds recursive
Robert Buckley> queries [num] limitation.
Robert Buckley> One of our clients decided to do a very intensive WebTrends report, which (
Robert Buckley> I assume ) had an option to do 
Robert Buckley> dns lookups. We use a Cisco pix on the border, with 2 external and 2
Robert Buckley> internal bind 9 systems. 

Robert Buckley> The Cisco pix contains a feature called a DNS-GUARD that will prevent the
Robert Buckley> same query being answered twice.
Robert Buckley> Another words, the 1st guy to come back with the answer to a query is let
Robert Buckley> in, anyone else is denied.

Robert Buckley> Our firewall logs showed inbound denials from our two externals had
Robert Buckley> increased 196.x times more than normal.
Robert Buckley> AVG 400 or so to about 60 thousands plus. An investigation showed that one
Robert Buckley> single client ( The Web Trends Guy) was slamming our internal servers with
Robert Buckley> queries.
Robert Buckley> Our logging on our dns servers showed.  Client Recusive Queries Quota
Robert Buckley> Reached.

Robert Buckley> According to some research we've done, a bind server will stop answering
Robert Buckley> queries if it has the default value of 100 unanswered queries in memory.
Robert Buckley> Of course this value can be increased via an option. It seemed to me that
Robert Buckley> this type of abuse from the webtrends app, nearly caused a denial of service
Robert Buckley> on our dns. 

Robert Buckley> IMO, it would be trivial to write something to to ask 100 bogus queries that
Robert Buckley> dont get answered in time.
Robert Buckley> Anyone have a similiar experience or security information on this?



        

-- 
James Zhang                          
Manager,T.S.Dept. Marsec System     Mobile: 13910526162
Office: +8610-88087212-3004         FAX: +8610-88087300
Http://www.babygoal.com             Email: glzhang () 8848 net
PGP Public key:
ftp://ftp.babygoal.com/pub/pgpkey/glzhang.8848.net.asc

Current thread:

Bind recursive queries quota. Robert Buckley (Jul 19)
- Re: Bind recursive queries quota. Guanglong Zhang (Jul 19)
  - Re: Bind recursive queries quota. Thomas Cannon (Jul 19)
- <Possible follow-ups>
- RE: Bind recursive queries quota. Robert Buckley (Jul 22)