[Pdns-users] pdns stop responding and restarted himself

Thu Oct 19 09:36:13 UTC 2023

Hello,

I have 2 dns servers.
Both running on centos with his own replicated mysql backends

Yesterday both dns servers stopped responding for 3 minutes.

In the periode of 3 minutes I see a lot of lines for the same domain.

Pdns that was restared by it self and again the fluid of this domain.

Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 91.202.230.18 wants
'lp2.xxx.com|A', do = 1, bufsize = 1232 (4096): packetcache MISS

Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 46.51.160.145 wants
'ns34.xxx.com|A', do = 1, bufsize = 1232: packetcache MISS

Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 192.73.240.129 wants
'thai.xxx.com|A', do = 1, bufsize = 1232: packetcache MISS

Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 146.112.128.69 wants
'auth-hack.xxx.com|A', do = 1, bufsize = 1232 (1410): packetcache HIT

Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 117.54.16.252 wants
'payments.xxx.com|A', do = 1, bufsize = 1232 (4096): packetcache MISS

Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 2a02:2f0e:5fff:ffff::2
wants 'skyline.xxx.com|A', do = 1, bufsize = 1232 (4096): packetcache MISS

Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 2a04:c602:409:fe::27 wants
'app3.xxx.com|A', do = 1, bufsize = 1232: packetcache MISS

After this:

Oct 18 21:42:36 ns1 systemd[1]: pdns.service: Service RestartSec=1s expired,
scheduling restart.

Oct 18 21:42:36 ns1 systemd[1]: pdns.service: Scheduled restart job, restart
counter is at 59.

Oct 18 21:42:36 ns1 systemd[1]: Stopped PowerDNS Authoritative Server.

Oct 18 21:42:36 ns1 systemd[1]: Starting PowerDNS Authoritative Server...

Oct 18 21:42:36 ns1 rsyslogd[795583]: imjournal: 102527 messages lost due to
rate-limiting (20000 allowed within 600 seconds)

Oct 18 21:42:36 ns1 systemd[1]: Started PowerDNS Authoritative Server.

Oct 18 21:42:36 ns1 systemd[1]: pdns.service: Main process exited,
code=exited, status=1/FAILURE

Oct 18 21:42:36 ns1 systemd[1]: pdns.service: Failed with result
'exit-code'.

Oct 18 21:42:37 ns1 systemd[1]: pdns.service: Service RestartSec=1s expired,
scheduling restart.

Oct 18 21:42:37 ns1 systemd[1]: pdns.service: Scheduled restart job, restart
counter is at 60.

Oct 18 21:42:37 ns1 systemd[1]: Stopped PowerDNS Authoritative Server.

-----

Oct 18 21:42:51 ns1 systemd[1]: Starting PowerDNS Authoritative Server...

Oct 18 21:42:53 ns1 systemd-journald[218]: Suppressed 80113 messages from
pdns.service

Oct 18 21:42:53 ns1 pdns_server[2514841]: Failed to retrieve security status
update for '4.8.2' on 'auth-4.8.2.security-status.secpoll.powerdns.com.':
RCODE was Server Failure

Oct 18 21:42:53 ns1 pdns_server[2514841]: gmysql Connection successful.
Connected to database 'powerdns' on '127.0.0.1'.

Oct 18 21:42:53 ns1 pdns_server[2514841]: Creating backend connection for
TCP

Oct 18 21:42:53 ns1 pdns_server[2514841]: Primary/secondary communicator
launching

Oct 18 21:42:53 ns1 pdns_server[2514841]: gmysql Connection successful.
Connected to database 'powerdns' on '127.0.0.1'.

Oct 18 21:42:53 ns1 pdns_server[2514841]: About to create 3 backend threads
for UDP

Than again a lot of the same lines for the same domain.
afther 3:36 minutes dns was responding normaly  and the request are back to
normal.
So It looks like some kind of attack.

Is there something that I can do to prevent this from the future.

Met vriendelijke groet,

Steffan Noord

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20231019/a4cb671b/attachment.htm>