•  Home
  •  Dashboard
  •  Company
    • About Us
    • Blog
    • Careers
    • Contact Us
    • Data Centers
    • Looking Glass
    • Network
    • Reseller
  •  Hosting Services
    • Infrastructure
      • iColocation
    • Compute
      • cMetal
      • cVirtual
    • Storage
      • sObject
      • sBlock
    • Networking
      • nCDN
      • nIP Transit
      • nWavelength
    • Protection
      • pBackup
      • pDDoS
  •  Solutions
    • Ecommerce
    • Finance
    • Gaming
    • Hosting
    • Management
    • Security
    • System Integrator
  •  Support
    • Community
    • Knowledge Base
    • Open A Ticket
  •  USA & Canada: 800-933-1517
  •  International: 626-549-2801
  •  Email: sales@psychz.net
  • Services
    • new-colocation-header-img
      Infrastructure
      • iColocation
    • new-compute-header-img
      Compute
      • cMetal
      • cVirtual
    • new-storage-header-img
      Storage
      • sObject
      • sBlock
    • new-networking-header-img
      Networking
      • nCDN
      • nIP Transit
      • nWavelength
    • new-protection-header-img
      Protection
      • pBackup
      • pDDoS
  • Solutions
    • Ecommerce
    • Security
    • Gaming
    • Hosting
    • Management
    • Finance
    • System Integrator
  • Dashboard

Nonesense Name Attacks Are A Serious Concern For Sys Admins

  • Home
  • Client
  • Blog
  • DDoS
  • Nonesense Name Attacks Are A Serious Concern For Sys Admins

Nonesense Name Attacks Are A Serious Concern For Sys Admins

  • Category: DDoS
  • Author: Admin
  • Publisher: Psychz Networks
  • June 05,2015

As if data centers and server administrators didn’t have enough to worry about when it comes to the security of their installations, yet another serious problem has surfaced. It’s a type of DDoS attack being called the “Nonsense Name” attack, and most servers are at risk because it targets name servers.

How It Works

The apparent goal of a Nonsense Name attack is to target authoritative name servers for a DNS zone, by overwhelming them with requests from recursive name servers. The process works this way:

  1. A bot (or network of bots) creates a large number of nonsense domains in the target zone to query. If the attack is being launched against domain.zone, for example, it will generate abcde.domain.zone, fghij.domain.zone, klmno.domain.zone and so on, and then send queries for all of them to recursive name servers.
  2. The recursive name servers will, as is their job, send each query on to the authoritative name servers for domain.zone, which then naturally return an NXDOMAIN response (meaning the names being queried don’t exist) to the recursive servers.
  3. If the queries keep coming fast enough, eventually the authoritative name servers will stop answering them. That in turn clogs up the recursive name servers making the requests, and they run out of query slots. At that point, the recursive servers will simply refuse all new queries, even legitimate ones. In effect, the server is completely stopped from resolving client requests.

Even if the goal is to hit authoritative name servers, all of the recursive name servers involved are victimized as well.

Dealing with a Nonsense Name Attack

The first step in handling this new threat is to be aware of what to look for. When a recursive name server begins sending the message “no more recursive clients; quota reached” to syslog, you should immediately suspect that the lack of free recursive query slots is due to Nonsense Name. Those syslog messages will contain the IP addresses making the queries, so if they look suspicious you can quickly exclude them by using an access control list.

If you’re not sure about the IPs, things get more complicated. The best approach is using the RPZ (response policy zone) function in BIND to tell the name servers not to send any queries involving the affected zone. You would set up a rule that looks like this:

*.domain.zone.the.rpz.zone       IN     CNAME       .

and then set the qname-wait-recurse option in BIND to “no.” After that, anyone querying a domain in domain.zone would automatically receive an NXDOMAIN response from the recursive server, and the authoritative name servers would never get involved at all.

For recursive name servers which don’t run BIND (or haven’t been updated to BIND 9.1), the best option is to create an empty, “dummy” zone to substitute for the real domain.zone. Label it as the authoritative name server for the zone, and any queries will then get the NXDOMAIN response.

Of course, these are both temporary changes; once the attack is over, you’ll need to set things back the way they were in order for domain resolution to resume.

In the near future, the Internet Systems Consortium is planning to release two new options for BIND name server configuration, which will automatically limit queries like the ones created by Nonsense Name attacks. Until then, the above fixes should limit the nonsense your name servers may face.

Categories

Copyright © 2025 Psychz Networks,
A Profuse Solutions Inc Company
Hosting Services
Infrastructure
  • iColocation
Compute
  • cMetal
  • cVirtual
Storage
  • sObject
  • sBlock
Networking
  • nCDN
  • nIP Transit
  • nWavelength
Protection
  • pBackup
  • pDDoS
Company
  • About Us
  • Blog
  • Careers
  • Contact Us
  • Data Centers
  • Looking Glass
  • Network
  • Reseller
Policies
  • Acceptable Usage Policy
  • Privacy Policy
  • Service Level Agreement
  • Terms and Conditions
Support
  • Community
  • Knowledge Base
  • Open A Ticket
Get In Touch
  • Psychz Networks,
    A Profuse Solutions Company
    611 Wilshire Blvd #300
    Los Angeles,California 90017
    USA
  • US/Canada: 800-933-1517
  • International: 626-549-2801