named problems (high cpu usage!)

[Radio_Head]

I noticed that named(bind) is using a lot of cpu latest hours , 10% to 30%
costantly ,

2325 named 25 0 3920 S 15.9 0.3 0:26 /usr/sbin/named -u named



which could be the problem and how to find which is the user abusing of bind ?

Thank you!

[petfut]

I noticed the same thing on my Fedora 2 server.
I killed those processes and restarted bind.

[Radio_Head]

solved.

Someone was attacking with dns queries (using tons of different ip address per second)
a domain name which was closed , but it was still pointing my nameservers .
If you have the same problem leave me a pm and I will tell you how to solve this kind of problem (I prefer don't post here the solution otherwise the hacker could find turnaround).

Bye

[katz_global]

can you post a way to trace back the dns query synflood to the victim ip?

thank you

Scott

[Radio_Head]

due to continuos requests I will post here the solution .

Solution

a) investigate which is the domain name which is flooding your named
(using ndc query logging on and examing /var/log/messages)

b) if the domain is flooded.com check a whois of this domain name

c) if flooded.com is using your dns (probably yes) create an account for him
or simply create a dns entry for him .

d) (optional). Redirect flooded.com to your master account to get more traffic


After executed point c) named will return to work normally .
(In other words if a domain name use your dns but it's not listed as a WHM account
with his own dns , the hacker could bring an attack to your named , slowing down it.
I don't know in which way the bring tha attack however ,perhaps requesting multiple dns queries . Hope it helps.