Howdy, Does anyone have any information about exploiting binds recursive queries [num] limitation. One of our clients decided to do a very intensive WebTrends report, which ( I assume ) had an option to do dns lookups. We use a Cisco pix on the border, with 2 external and 2 internal bind 9 systems. The Cisco pix contains a feature called a DNS-GUARD that will prevent the same query being answered twice. Another words, the 1st guy to come back with the answer to a query is let in, anyone else is denied. Our firewall logs showed inbound denials from our two externals had increased 196.x times more than normal. AVG 400 or so to about 60 thousands plus. An investigation showed that one single client ( The Web Trends Guy) was slamming our internal servers with queries. Our logging on our dns servers showed. Client Recusive Queries Quota Reached. According to some research we've done, a bind server will stop answering queries if it has the default value of 100 unanswered queries in memory. Of course this value can be increased via an option. It seemed to me that this type of abuse from the webtrends app, nearly caused a denial of service on our dns. IMO, it would be trivial to write something to to ask 100 bogus queries that dont get answered in time. Anyone have a similiar experience or security information on this?
This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 10:42:28 PDT