(In reply to comment #0)
> Description of problem:
> I'm receiving frequent attacks to a named server at port 53.
> The traffic is 15Kbits/sec in and 1.4Mbit/sec out.
> The problem is that I don't know if this is a problem with my configuration
> file or a vulnerability of bind package.

Not sure if this is an attack but it might be - such traffic usually indicates that someone asks for the root hints (i.e. query for the "." NS records) and your server returns them.

> //
> // named.conf
> //
> // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
> // server as a caching only nameserver (as a localhost DNS resolver only).
> //
> // See /usr/share/doc/bind*/sample/ for example named configuration files.
> //
> 
> options {
>  recursion no;
>  allow-recursion {192.168.1.0/24;};
>  allow-query { any; };
> 
> listen-on port 53 {
>  127.0.0.1;
>  10.0.0.3;
>         192.168.1.2;
> };
> 
> 
>  listen-on-v6 port 53 { ::1; };
>  directory  "/var/named";
>  dump-file  "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
> 
>  dnssec-enable yes;
>  dnssec-validation yes;
> dnssec-lookaside auto;
> bindkeys-file "/etc/named.iscdlv.key";
> };
> 
> logging {
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
> 
> </named.conf> 
> 
> Am I doing something wrong with the configuration or there's a new
> vulnerability that needs consideration?
> 
> What I'm actually doing to resolve this issue is blocking the networks where
> the attacks come from. So far, I'm blocking the following networks with
> iptables:
> -I INPUT -p tcp -s 201.20.35.12/29 -j DROP
> -I INPUT -p udp -s 201.20.35.12/29 -j DROP
> -I INPUT -p tcp -s 174.36.27.8/29 -j DROP
> -I INPUT -p udp -s 174.36.27.8/29 -j DROP
> -I INPUT -p tcp -s 201.20.35.32/29 -j DROP
> -I INPUT -p udp -s 201.20.35.32/29 -j DROP
> -I INPUT -p tcp -s 201.20.35.16/29 -j DROP
> -I INPUT -p udp -s 201.20.35.16/29 -j DROP
> -I INPUT -p tcp -s 201.20.34.96/29 -j DROP
> -I INPUT -p udp -s 201.20.34.96/29 -j DROP
> -I INPUT -p tcp -s 201.41.210.88/29 -j DROP
> -I INPUT -p udp -s 201.41.210.88/29 -j DROP
> 
> Would you help me to find out what I'm doing wrong with my named configuration?

Can you please substitute "allow-recursion" directive by "allow-query-cache" and report if the traffic is still unbalanced? The "allow-recursion" doesn't prevent the "root hints" attack written above.

However your current solution (packets are dropped directly on firewall) is the best in case some network attacks your servers.

(In reply to comment #1)
> (In reply to comment #0)
> > Description of problem:
> > I'm receiving frequent attacks to a named server at port 53.
> > The traffic is 15Kbits/sec in and 1.4Mbit/sec out.
> > The problem is that I don't know if this is a problem with my configuration
> > file or a vulnerability of bind package.
> 
> Not sure if this is an attack but it might be - such traffic usually indicates
> that someone asks for the root hints (i.e. query for the "." NS records) and
> your server returns them.
> 

I captured some packages with wireshark and it looks like a flooding attack. The dns query was nul and the response from my server was invalid query, and that was going on at a very high speed.

The attacks ceased now. If it comes back again, I will submit some sniffs using wireshark.

> 
> Can you please substitute "allow-recursion" directive by "allow-query-cache"
> and report if the traffic is still unbalanced? The "allow-recursion" doesn't
> prevent the "root hints" attack written above.
> 

I will do this change and let you know what happens as soon as new a attack comes.

thanks and kind regards

(In reply to comment #2)
> (In reply to comment #1)
> > (In reply to comment #0)
> > > Description of problem:
> > > I'm receiving frequent attacks to a named server at port 53.
> > > The traffic is 15Kbits/sec in and 1.4Mbit/sec out.
> > > The problem is that I don't know if this is a problem with my configuration
> > > file or a vulnerability of bind package.
> > 
> > Not sure if this is an attack but it might be - such traffic usually indicates
> > that someone asks for the root hints (i.e. query for the "." NS records) and
> > your server returns them.
> > 
> 
> I captured some packages with wireshark and it looks like a flooding attack.
> The dns query was nul and the response from my server was invalid query, and
> that was going on at a very high speed.
> 
> The attacks ceased now. If it comes back again, I will submit some sniffs using
> wireshark.
> 
> > 
> > Can you please substitute "allow-recursion" directive by "allow-query-cache"
> > and report if the traffic is still unbalanced? The "allow-recursion" doesn't
> > prevent the "root hints" attack written above.
> > 
> 
> I will do this change and let you know what happens as soon as new a attack
> comes.

This won't help if packets were NULL queries. The firewall DROP rules are appropriate in this case (and more efficient than BIND's blackhole {} directive)

I'm closing this ticket because there is nothing which can be fixed in the bind pkg. Feel free to reopen it if you have any question.