Vista machines DOSing our bind servers

[Fr34k]

Hello,
 
I have been seeing a lot of identical bogus queries from the same clients.
Looks like we are seeing that isatap traffic, too:
 
# snoop -r port 53 | grep isatap

DNS C isatap.Belkin. Internet Addr ?
DNS C isatap.Belkin. Internet Addr ?
DNS C isatap.Belkin. Internet Addr ?
DNS C isatap.Belkin. Internet Addr ?
DNS C isatap.WorkGroup. Internet Addr ?
DNS C isatap.WorkGroup. Internet Addr ?
DNS C isatap.a.domain.suffix.com. Internet Addr ?
DNS C isatap. Internet Addr ?
^C


Interesting.

It seems that tuning a few "clients-per-query" options helps to mitigate the flood of idential queries.
For example,
 
clients-per-query 10 ;  (default is 10)
max-clients-per-query 50 ; (default is 100)

See the Bv9ARM.pdf at isc.org for more about these options and what may work best for you.

Hope this helps -- Chris


----- Original Message ----
From: Kirsten Petersen <kirsten.petersen at oregonstate.edu>
To: bind-users at isc.org
Sent: Tuesday, November 27, 2007 1:00:00 PM
Subject: Vista machines DOSing our bind servers

Has anyone else seen this issue where Vista machines slam the name servers 
with repeated requests for the same lookup?  Yesterday, both of our name 
servers were taken out of commission by a pair of Vista workstations on 
our network that were each pushing almost 10Mb in DNS requests.  A tcpdump 
at the time showed that they were asking repeatedly for the same AAAA 
record.

This has happened about 4 times to us in the past 3 weeks.  Each time, 
the machines were asking for different domain names, totally unrelated.
  So, I don't believe there is anything special about the record itself.
  The machines have been scanned for viruses and malware, of course, and 
came up clean.  The owners of the machines were not even present when the 
incident occurred.

I have read through this thread on Educause:
http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind07&L=netman&D=0&T=0&P=27697