slow non-cached quries

TMK engtmk at gmail.com
Fri Sep 9 20:34:14 UTC 2011


On Sep 9, 2011 10:28 PM, "TMK" <engtmk at gmail.com> wrote:
>
> On 09.09.11 19:31, TMK wrote: >We have find the reason why our network
analyzer report that bind is >responding to a.root-server.net in 30 sec.
>
> does your server respond to a.root-servers.net, or does a.root-servers.netrespond to your BIND?

A.root-server.net is query being sent from some of our clients.

>
> >Cause all the packets are having the same source port and the same
>identification I'd which makes it impossible for it to determine the
>query/response pairs.
>
> who is sending those packets? Is that your BIND?
>

Like I said it is being send from some infected customers to our cache dns

> >Just one question why doesn't the bind drop such packets.
>
> apparently it does and that's why it's so slow...

No it doesn't the capture shows it has responded to every and packet of
those but dut to having the same source ports and the identification I'd the
traffic analyzer is unable to correctly link the requests with the replies.

All those packets are from source port 3037
>
> --Matus UHLAR - fantomas, uhlar at fantomas.sk ;
http://www.fantomas.sk/Warning: I wish NOT to receive e-mail advertising to
this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu
postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...

All
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110909/7a6f26fb/attachment.html>


More information about the bind-users mailing list