DNS requests and Bandwidth

Gadi Evron ge at linuxbox.org
Wed May 11 15:50:23 UTC 2005


aljuhani wrote:
> Hello List.
> 
> We have one domain setup on our server dns but there is no
> website or email configured ..
> 
> Recently we've noticed some increase in server Bandwidth usage
> and after using tcpdump, we were able to find the problem which
> is a DNS server on the Internet sending many queries per second
> to resolve MX , A records for that domain which is not existing of
> course but it keeps asking.
> 
> One way was to block requests from that DNS IP but that was not
> practicle as many users on that DNS won't be able to communicate
> with our server.
> 
> so What is the best way to prevent DNS queries consuming bandwidth.
> 
> tcpdump output extract:
> 
> 14:40:09.407336 212.26.72.85.34997 > ns.MyNameServer.net.domain:  51794 MX? MyDomain.com. (29)(DF)
> 14:40:09.411707 212.26.72.85.34997 > ns.MyNameServer.net.domain:  14233 A? MyDomain.com. (29) (DF)
> 14:40:09.415880 212.26.72.85.34997 > ns.MyNameServer.net.domain:  39317 MX? MyDomain.com. (29) (DF)
> 14:40:09.419827 212.26.72.85.34997 > ns.MyNameServer.net.domain:  49503 A? MyDomain.com. (29) (DF)
> 14:40:09.423700 212.26.72.85.34997 > ns.MyNameServer.net.domain:  29362 A? MyDomain.com. (29) (DF)
> 14:40:09.426963 212.26.72.85.34997 > ns.MyNameServer.net.domain:  16692 A? MyDomain.com. (29) (DF)
> 14:40:09.430590 212.26.72.85.34997 > ns.MyNameServer.net.domain:  65288 A? MyDomain.com. (29) (DF)
> 14:40:09.434350 212.26.72.85.34997 > ns.MyNameServer.net.domain:  1341 A? MyDomain.com. (29) (DF)
> 14:40:09.438163 212.26.72.85.34997 > ns.MyNameServer.net.domain:  57932 A? MyDomain.com. (29) (DF)

As happy as I'd be to go and yell DoS!! (I love that word)... there are
other possibilities here.

As an example, it is more than possible someone is trying to send mail
to you, and that their server is broke so that it keeps re-trying
forever in a DoS fashion (give me a buck for every time that happened to
me...).

Are you announcing this domain anywhere else?

The A records are a bit more difficult to explain (but it's certainly
possible), but I do ask you this.. if it's just one server.. did you try
contacting them? That's probably a lot easier than any other course of
action you can follow-up with. It could be a simple matter of a
misconfiguration.

You could also be a secondary victim of someone else's attack.. but if
it's just one server.. try getting them on the horn.. then their uplink,
and then just add them to your ACL.. sometimes there are no other options.

Does this bandwidth consumption bother you, though? Or is this just out
of curiosity?

	Gadi.



More information about the NANOG mailing list