Today i found one of the server have high server load.

I have stoped all services and checked /var/log/messages and found too many requests for a domain that is not hosted on the server.

Nov 14 06:11:51 godislove named[10264]: lame server resolving ‘nambon.com’ (in ‘nambon.com’?): 69.93.202.214#53
Nov 14 06:11:52 godislove named[10264]: lame server resolving ‘nambon.com’ (in ‘nambon.com’?): 65.98.61.140#53
Nov 14 06:11:52 godislove named[10264]: lame server resolving ‘nambon.com’ (in ‘nambon.com’?): 69.93.202.214#53
Nov 14 06:11:52 godislove named[10264]: lame server resolving ‘nambon.com’ (in ‘nambon.com’?): 65.98.61.140#53

I restarted services, now the server load is low, but named take too much cpu time.

The domain is found to pointed to our name servers. To correct the load problem i created a zone file for the domain in the server.

vi /var/named/nambon.com.db

and put following content

; Zone File for nambon.com
$TTL 14400
@ 14440 IN SOA ns8.hosthat.com. flashweb.asianetonline.net. (
2005060502
14400
7200
3600000
86400
)

nambon.com. 1440000 IN NS ns8.hosthat.com.
nambon.com. 1440000 IN NS ns10.hosthat.com.

nambon.com. 1440000 IN A 127.0.0.1

localhost.nambon.com. 1440000 IN A 127.0.0.1

nambon.com. 1440000 IN MX 0 nambon.com.

mail 1440000 IN A 127.0.0.1
www 1440000 IN A 127.0.0.1

That is all IP’s for the domain pointed to 127.0.0.1 (local IP of any computer).

Also TTL time increased, so we don’t get too many requests in our name servers, IP will get cached in network and only few requests in our name server.

Now i added the zone file to /etc/named.conf

zone “nambon.com” {
type master;
file “/var/named/nambon.com.db”;
};

Now change ownership of zone file to user named

chown named:named /var/named/nambon.com.db

and restarted name servers

service named stop
service named start

Now the domain “nambon.com” is pointing to 127.0.0.1

So anyone attacking this domain is attacking themself 🙂