DNS DOS increasing?
jsmith at PRESIDIO.com
Tue Jan 22 18:11:23 UTC 2002
From: E.B. Dreger [mailto:eddy+public+spam at noc.everquick.net]
Sent: Tuesday, January 22, 2002 12:51 AM
To: just me
Cc: Miquel van Smoorenburg; nanog at merit.edu
Subject: Re: DNS DOS increasing?
That's not the problem. It's ill-behaved clients that ignore TTL
and query every 10s no matter what. See some of James Smith's
Methinks I have been misunderstood or I have obfuscated my own point... The
dns server is set to give a 10 second TTL to the dns client. The entry ages
out in 10 seconds, so the client (following expected practice) ages the
entry out. 15 seconds later, when they click on the next button on the web
page (for example), they have to go get the IP again. This the DOS (DDOS?)
Sure the dns client is hammering the dns server, but the server is telling
it to by giving out an absurdly short TTL... The server is ASKING FOR IT by
setting it's TTL to 10 seconds. The client can't help it, it is just doing
what it has been told.
Why It Does It This Way
The mechanism this dns server uses for selecting which IP to respond with is
a ping to check upstream connectivity. This box pings constantly, looking
for a fail. When link failure is detected, the box starts feeding DNS
queries with responses from the other links subnet. The short ttl ensures
that dns clients age out the info fast enough to make a near seamless
failover to the other link.
Since the box is authoritative for the zone, and has interfaces in more than
one subnet or provider, the failure of one link means that the normal dns
mechanism of going to the next responsive dns server points users to the
remaining good link, and the box obliges by serving out responses that point
the client back down the good link.
James H. Smith II NNCDS NNCSE
The Presidio Corporation
I speak for myself, and that gets me into enough trouble.
(back to lurk mode...)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the NANOG