Re: Query NS <Root>
On Sun, Feb 01, 2004 at 03:46:07PM +0100, Hans Spaans wrote:
> You added it globally and to every zone? Also allow-transfer is a nice
> own to get into place. But you will see queries being denied and if you
Yes, I've got allow-transfer groups on all domains; allow-query { any; }
on all domains I server, and an options allow-query group and allow-recursion
group in options so that only authorized sites can use the cache.
> check those IP's you'll see that they don't run any nameserver. So
> don't worry to much.
I'd originally thought otherwise, but as I went through
the trace I found the real name servers were trying to
do a lookup for a dead zone, one I used to host but which
the owner has taken off line. Some fairly big ISP's are
using annoying short Retry times...
> I did but wasn't impressed, only when the new cyberangels was making
> sure we needed to handle an extra 6 a 700 q/s ;-)
I have to be careful though as I get phone calls if
my bandwidth usage goes too high. It got so bad a week
ago (before I put in the blocking) that processes
were dying on my server due to memory starvation (the kernel
was killing processes as resources were being overused),
that I had to risk down time to do something about it.
I'd still be interested to know if anyone knows *why*
so many people are doing this. I know what they are doing;
I can block it; but I'm curious. I've got a gut feeling
it has something to do with spammers hiding their tracks,
but I'm not sure how it would or why it would be useful
to them.
I just can't come up with anything else.
--
------------------------------------------------------
Dale Amon amon@islandone.org +44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
------------------------------------------------------
Reply to: