Follow-up: request storms from Windows

Ian Watts ian at radix.net
Fri Nov 16 21:25:29 UTC 2001 

Okay, it turns out that this problem arises when the AD servers do a
lookup for an IP address where the ARPA zone has a CNAME for an NS record.

Example:

ian at squid:~$ dig 88.140.in-addr.arpa ns +short
artemis.acs.bethel.edu.
ian at squid:~$ dig artemis.acs.bethel.edu.

; <<>> DiG 9.2.0rc7 <<>> artemis.acs.bethel.edu.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61890
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;artemis.acs.bethel.edu.                IN      A

;; ANSWER SECTION:
artemis.acs.bethel.edu. 517962  IN      CNAME   amidala.bnet.bethel.edu.
amidala.bnet.bethel.edu. 517962 IN      A       140.88.128.1

;; AUTHORITY SECTION:
bethel.edu.             517962  IN      NS      ns2.onvoy.net.
bethel.edu.             517962  IN      NS      ns1.bethel.edu.

;; ADDITIONAL SECTION:
ns1.bethel.edu.         517962  IN      A       140.88.128.1
ns2.onvoy.net.          166593  IN      A       206.9.64.104

;; Query time: 12 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 16 16:21:21 2001
;; MSG SIZE  rcvd: 160


I have asked the admins of the Windows servers to "Secure cache against
pollution", i.e. disable glue fetching.  When they get around to it I'll
let you know if it makes a difference. 

And since you ask, the AD servers are forwarding to my BIND nameservers
everything that's not in their "domains".

-- Ian Watts



On Fri, 16 Nov 2001, Barry Finkel wrote:

> Ian Watts <ian at radix.net> wrote:
> 
> >A while ago I mentioned that I was occasionally seeing large numbers of
> >identical queries coming from local Win2K Active Directory servers.  Just
> >yesterday one of them was generating 2,500 identical queries per second. 
> >
> >There appears to be a pattern: whenever this happens, it is a request for
> >a name that is a CNAME for one of the nameservers for that zone.  Possible
> >AD bug?  Other?
> >
> >I have not duplicated this behaviour myself, but 3 out of 3 rather
> >particular records is a pattern in my book.
> >
> >Examples:
> >ns1.poweruser.com
> >artemis.acs.bethel.edu
> >wks01.clickcom.com
> >
> >Although there must be a newsgroup for Active Directory issues, this may
> >in fact be something completely different and it impacts us BIND users
> >negatively.  Anyone have any input on this problem? 
> 
> What is your DNS configuration?  I am assuming that an W2k AD machine
> was sending multiple DNS lookup requests to your BIND server.  You
> say that the names being queried are CNAMEs for nameservers.  I wonder
> if there are DNS zones that have these CNAMEs in NS records.  I know
> that NS records cannot point to CNAMEs, but if this were to occur and
> W2k were attempting to contact the real nameserver, would it get into
> a loop?  I would suggest contacting Microsoft support.  I do not have
> enough information to attempt to reproduce the problem here.
> ----------------------------------------------------------------------
> Barry S. Finkel
> Electronics and Computing Technologies Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
> Building 221, Room B236              Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4844             IBMMAIL:  I1004994
> 
>

More information about the bind-users mailing list