Is there any relationship between this “europeanwide”
above.net failure and the huge amount of
DNS requests to lockup.zonelabs.com which failed that every
ISP (at least in France) seem to
have encountered last night ?
The zonelabs.com zone is hosted on Above.net NS servers.
The Netherlands were hit as well. We saw a massive flood of queries for lockup.zonelabs.com, too. It performed a nice DoS on our client name servers… 
You’d think that an unresponsive nameserver would be flagged dead, and such information be cached. Does anyone know whether that’s actually done in Bind 8.3.4? Or perhaps not by default?
Cheers,
Arjan H
Not even a clue-by-four would work with this clown.
You'd think that an unresponsive nameserver would be flagged dead, and such
information be cached. Does anyone know whether that's actually done in Bind
8.3.4? Or perhaps not by default?
This certainly does not happen when all authoritative nameservers
are unresponsive. See http://www.nanog.org/mtg-0310/wessels.html,
in particular pages 23 and 24 of the slides.
In my simulations with 100% packet loss, DNS caches running BIND8,
dnscache, W2000, and W2003 all amplified the user's query rates.
Only BIND9 attenuated.
The results do depend on the actual query rate, however. At a
higher query rate, the other caches would/should attenuate as well
(perhaps reaching their hard-coded rate limits), but I don't have
the exact numbers.
It would be interesting to repeat the simulation and take out, say,
half of a set of authoritative nameservers during the middle of the
test.
Duane W.
pdns_recursor also throttles queries, see http://doc.powerdns.com/x2025.html
BIND9 does this, but it won't prevent clients from still asking the
question over and over again. So an ISP with lots of downstream dumb
clients (i.e. Windows) will still experience the DOS unless they have
sufficient capacity in their DNS servers or rate-limit tcp/udp 53 at
their network edge.
client -> caching name server -> authoritative name server