Strange DNS client behavior
Simon at wretched.demon.co.uk
Wed Oct 31 01:36:09 UTC 2001
"Aaron M. Scarisbrick" wrote:
> That's just broken. Why would a single host need hundreds of
> concurrent TCP queries open? A tcpdump of each of the hosts (tcpdump
> -n -l src x.x.x.x), showed that each host was performing an "ANY?" DNS
> query for the same domain over and over again. Anybody know of a
> resolver or mailer that opens hundreds of concurrent queries against
> one DNS server for the same query over and over again? I've resorted
> to using the BIND blackhole access list to prevent the worst abusers
> from pegging the server. Any light that anyone can shed on this would
> be greatly appreciated.
Maybe your giving back an answer that isn't good - low time to
live, servfail, lameness.
Let us know the domain and nameserver IP and we can start by
ruling out misconfiguration your end.
It could be a DoS attack, as the use of TCP seems unusual, but
it could be that the ANY query returns too much data, without
the domain name we can't tell.
More information about the bind-users