I’ve seen this behavior before, also. I thought it was interesting that two servers side by side recieving the same attacks/ratios only serving DNS (BIND 8.2.x*) and acted in this manner:
Redhat 6.2 w/dual proc 833 512/ram started “loosing” RR records
Solaris 7 on a Sparc 10 (hehe) w/256 rebooted and served the correct records
I’m curious to see how other OSes react to these attacks. My guess is that BSD systems (such as FreeBSD and BSDi) will react similarly to the Solaris based on my past experience with these systems. So I am curious too see if the RR record “loss” is an OS specific behaviour, especially since Redhat has priors in misplacing information in earlier versions of the OS.
- I say BIND 8.2.x, because this continued to occur through the various BIND 8.2 releases.
Best regards,
Karyn Ulriksen
Valkaryn Internet Group
URL: http://www.valkaryn.net
email: valkaryn@valkaryn.net
I'm curious to see how other OSes react to these attacks. My guess is that
BSD systems (such as FreeBSD and BSDi) will react similarly to the Solaris
based on my past experience with these systems. So I am curious too see if
the RR record "loss" is an OS specific behaviour, especially since Redhat
has priors in misplacing information in earlier versions of the OS.
Slightly related to that; at the RIPE meeting last week, RIPE NCC
described a DNS server testbed that they had produced, primarily to
test a new authoritative nameserver. As an experiment, it was run with
BIND 8.2.5 on both FreeBSD and Linux. The performance of the FreeBSD
system under bursty loads was significantly better than Linux (on the
same system?) for moderate-to-high loads.
The presentation should eventually be available under:
http://www.ripe.net/ripe/meetings/archive/ripe-41/presentations.html#dns
(but it isn't there yet)
I'm not sure if the returned data was analysed in any depth, but Evi
Nemeth's talk at the next NANOG could be interesting if the title is
anything to go by...
Cheers,
Rob