null DNS header on packets - AIX, excessive network traffic
Kevin Darcy
kcd at daimlerchrysler.com
Tue Jun 4 22:08:14 UTC 2002
asanders at cs.olemiss.edu wrote:
> Kevin Darcy <kcd at daimlerchrysler.com> wrote in message news:<adgish$goi$1 at isrv4.isc.org>...
> > asanders at cs.olemiss.edu wrote:
> >
> > > Kevin Darcy <kcd at daimlerchrysler.com> wrote in message news:<ad8rrp$d1gm$1 at isrv4.isc.org>...
> > > > asanders at cs.olemiss.edu wrote:
> > > >
> > > > > I have a dns server (dns.mydomain.com) and a sendmail server
> > > > > (mailserver.mydomain.com) along with about 200 other servers not
> > > > > really in this picture. We have noticed that the DNS server is
> > > > > getting excessive traffic from the mail server. So I did a snoop:
> > > > >
> > ["snoop" output snipped]
> > > > >
> > > > > Notice the DSN header section is null. The packet reply from the DNS
> > > > > server is the same. There are many of the packets. Any insight would
> > > > > be greatly appreciated.
> > > >
> > > > This is just an ACK packet on a TCP connection. I wouldn't expect to see
> > > > a DNS header here.
> > > >
> > > >
> > > > - Kevin
> > >
> > > Thanks Keven. Let me give you more details. My dns group came to me
> > > saying that our mailserver was doing excessive zone transfers with the
> > > dns server--which makes no sense b/c our mailserver is not running
> > > bind or anything that would do a zone transfer. So I am trying to
> > > find out what all of this communication is caused by. On, my
> > > mailserver I just did a netstat -an and grep'd for the IP of our
> > > mailserver & for the IP of the dns server and there are 933
> > > connections between these 2 servers. 864 are in TIME_WAIT status.
> > > All connections are coming from differnent mail server ports around
> > > 40000 to the dns server on port 53 (where bind is running). Got any
> > > ideas why there are so many connections?
> >
> > Are they sure that these are zone transfers? Or, are they TCP connections to the DNS port that
> > your DNS folks are just *assuming* are zone transfers?
>
> They do not know. They are just assuming that. As it looks, they are
> definately not zone tranfers b/c bind is not running on the mailserver
> and as far as I know that (dns) is the only thing that would be doing
> a zone transfer.
> >
> > What mail software are you running, and how is it configured? It's conceivable that it might be
> > explicitly using TCP for DNS queries, for some extraterrestrial reason...
>
> We are using sendmail on this server. Is it just doing dns queries to
> resolve the host names for mail transferred? By the way, this
> mailserver is handling mail for over 10,000 users.
I've never known -- should I say *noticed*? -- sendmail to behave like that.
My only guess is that you're sending a lot of mail to destinations which generate large responses to
ANY queries (which most versions of sendmail generate). Because the responses are so large, they
overflow a UDP packet and a TCP retry is needed. Add to that some bad TCP keepalive tuning, and that
explains why you'd see so many TIME_WAIT TCP connections to the DNS server.
Personally, I prefer to run local caching nameservers on my mail servers, so that this kind of trash
doesn't annoy my dedicated DNS servers...
- Kevin
More information about the bind-users
mailing list