aljuhani wrote:
Hello List.
We have one domain setup on our server dns but there is no website or email configured ..
Recently we've noticed some increase in server Bandwidth usage and after using tcpdump, we were able to find the problem which is a DNS server on the Internet sending many queries per second to resolve MX , A records for that domain which is not existing of course but it keeps asking.
One way was to block requests from that DNS IP but that was not practicle as many users on that DNS won't be able to communicate with our server.
so What is the best way to prevent DNS queries consuming bandwidth.
tcpdump output extract:
14:40:09.407336 212.26.72.85.34997 > ns.MyNameServer.net.domain: 51794 MX? MyDomain.com. (29)(DF) 14:40:09.411707 212.26.72.85.34997 > ns.MyNameServer.net.domain: 14233 A? MyDomain.com. (29) (DF) 14:40:09.415880 212.26.72.85.34997 > ns.MyNameServer.net.domain: 39317 MX? MyDomain.com. (29) (DF) 14:40:09.419827 212.26.72.85.34997 > ns.MyNameServer.net.domain: 49503 A? MyDomain.com. (29) (DF) 14:40:09.423700 212.26.72.85.34997 > ns.MyNameServer.net.domain: 29362 A? MyDomain.com. (29) (DF) 14:40:09.426963 212.26.72.85.34997 > ns.MyNameServer.net.domain: 16692 A? MyDomain.com. (29) (DF) 14:40:09.430590 212.26.72.85.34997 > ns.MyNameServer.net.domain: 65288 A? MyDomain.com. (29) (DF) 14:40:09.434350 212.26.72.85.34997 > ns.MyNameServer.net.domain: 1341 A? MyDomain.com. (29) (DF) 14:40:09.438163 212.26.72.85.34997 > ns.MyNameServer.net.domain: 57932 A? MyDomain.com. (29) (DF)
As happy as I'd be to go and yell DoS!! (I love that word)... there are other possibilities here. As an example, it is more than possible someone is trying to send mail to you, and that their server is broke so that it keeps re-trying forever in a DoS fashion (give me a buck for every time that happened to me...). Are you announcing this domain anywhere else? The A records are a bit more difficult to explain (but it's certainly possible), but I do ask you this.. if it's just one server.. did you try contacting them? That's probably a lot easier than any other course of action you can follow-up with. It could be a simple matter of a misconfiguration. You could also be a secondary victim of someone else's attack.. but if it's just one server.. try getting them on the horn.. then their uplink, and then just add them to your ACL.. sometimes there are no other options. Does this bandwidth consumption bother you, though? Or is this just out of curiosity? Gadi.