Bind 9.4.3 and 2 hr DNS flooding problem

[branfarm]

Hi there.

I'm having a problem with my BIND server, where every 2hrs I get flooded with DNS messages such as these:

named[21338]: unexpected RCODE (REFUSED) resolving '48x40.com/MX/IN': 66.196.84.168#53

unexpected RCODE (SERVFAIL) resolving 'ns.ryazan.ru/A/IN': 82.196.129.12#53

named[21338]: lame server resolving '121gigawatts.net' (in '121gigawatts.NET'?): 209.59.180.230#53

named[21338]: FORMERR resolving 'betsgroup.com/MX/IN': 205.178.144.51#53

named[21338]: client 216.240.128.56#1031: no more recursive clients: quota reached



The flood seems to last about 40 seconds, and during that time the quantity of DNS messages is actually causing a mini DoS on one of my firewall interfaces. The firewall actually drops some of the UDP DNS requests:

Dropped UDP DNS reply from outside:xx.xx.xx.xx/53 to dmz:xx.xx.xx.xx/59323; packet length 524 bytes exceeds configured limit of 512 bytes


Does anyone have any idea what would cause this DNS flood every two hours, and what I might do to alleviate the problem?

Thanks in advance!

[davidanand]

Hello,

do you have an caching name server ?

[branfarm]

I don't believe it's a caching server. I have the 'recursion no' line set in the options section of my named.conf

[davidanand]

Hi,

I would prefer an caching name server and what is the kernel you have..?

[branfarm]

I'm running an pretty old kernel: 2.6.18-1.2239.fc5

[davidanand]

Hey,

when did you get this error while the server gets load ?
or bind fails normally...Did the system update happen frequently..and please
check that the system has upgraded to chroot environment...

[centuser1]

these are just hack atempts or least likely that your ip was once a recursive server.

worry more if the errors stop showing up