For some reason about 3 days ago the bandwidth (viewed in bandmin) on my name servers have gone from 5 meg a day to now over 1.5 gig a day and I have seen my .named process running consistently between 3.0 and 5.0% in top for extended times.

Is there an easy way to see who is hitting my name server so hard or what might be causing this? Also wht is the best way to block the unwanted use?

Thanks!

On, our RedHat 6.2 box, BIND logs to:

/var/log/messages

Originally posted by JTY
On, our RedHat 6.2 box, BIND logs to:

/var/log/messages

My box is also 6.2 and I have been poking around the messages log but I am not finding anything out of the ordinary. This is very strange.

Thanks!

Turn debugging on at a low level, 1 or 2, and then you'll see where all the traffic is coming from.

-t

Try a tcpdump to see where the traffic is coming from:

/usr/sbin/tcpdump -i eth0 -n -p not host [yourIPaddr]

something similar happened to me a while ago. I signed up a customer whose domain was geocites.com. The mail, ftp and http traffic from people who mistyped geocities.com as geocites.com locked up the server.

I disabled the account immediately and removed it from my nameservers but the customer refused to modify his domain record, resulting in my nameservers coming under what mimiced a mini DOS attack. It was only after I threatened legal action that he removed my nameservers from his domain record. In the meantime this little episode, which took about 2 weeks to resolve, used about 150GB of bandwidth.

it's also possible that the bandwidth is coming from somewhere else. I suggest looking into the tcpdump utility to catch a snapshot of your network traffic. This will show you where the traffic is from and where it is headed (regarding which port). Depending on what you find here you might be able to cut some of the traffic down by firewalling it at a gateway router or at least the local interface.