That's what we thought initially. Somebody processing logfiles. Doesn't look like it though. A remote machine makes our top ten list and then stays there for days. If we block on a router level then it seems to get fixed eventually on the other end. Dirk On Sat, Apr 22, 2000 at 12:57:54PM -0400, Deepak Jain wrote:
Depending on how the statistical distribution is falling, I would venture a guess to say its web companies resolving their web hit's DNS.
My logic is this:
The number of requests in a short time is very high, and as sites generate more and more logs the number of requests goes up. Since many of these sites (even small ones) could easily overwhelm their ISP (in the case of a hosting company) of their hosting company (in the case of an individual customer)'s name servers, these guys are forced to do 100% of the queries themselves.
Many of these log resolvers don't have name-lookup caching anywhere near as sophisticated as bind, and some won't maintain their cache between different log run (picture running the logs for 10,000 virtual domains individually -- each night).
And/or:
I would guess that most new unix/other os installs that are expected to be on the net probably default talking directly to the root zone instead of their immediate upstream ISP. (From a software point-of-view, its easier than asking the customer what his local DNS server is, and then having the same customer call support when his DNS doesn't work).
Last theory is just math:
As the number of domains goes up, the statistical probability of any particular domain being cached in any large DNS server goes down. (Especially if the ISP hasn't been very good about growing the size of their BIND cache). I can see no reason why these same BIND servers won't start making 10-15% more requests to the root servers each (on say growth of 40-60% in the number of domains, and probably lower overall cache/refresh times). This, with some servers doing many times that because they are more directly affected by the increase in domains (more and more unique domains, fewer persistent/repeat inquiries).
Deepak Jain AiNET
On Sat, 22 Apr 2000, Dirk Harms-Merbitz wrote:
We are seeing a small number of machines that almost do DOS attacks so many hits are being requested.
It started a few months ago. The number of machines that do this seems to be slowly increasing.
Could this be a configuration problem in some companies new DNS server software?
Dirk
On Sat, Apr 22, 2000 at 11:56:37AM -0400, Nick Patience wrote:
Hi all,
Disclosure: I'm a journalist with a company called the451.com (details in sig file).
Anyhow, that said, I was talking to Network Solutions about their decision to swap out the Sun box that is the A root server and change it for a more powerful RS/6000 S80. Also it is using IBM servers for its new network of name servers - it has already deployed 8 of the intended 12 according to the company, including one brought on stream two days ago in Hong Kong.
As most on this list probably already know, it is separating the root servers from the name servers.
Anyhow, NSI claims that the strain on the A root server has jumped from 220 million 'hits' to 420 million during Q1 alone. I haven't managed to define what hit is yet but intend to at some point.
NSI seems slightly unsure as to the main reason for the increase in hits, but speculates that one of the reasons may be says the main reason for this is that ISP's are using different caching techniques and more & more searches are going right to the top of the tree than before.
What do people on this list feel about this as a reason? It seems a little woolly to me.
Cheers,
Nick
-- Nick Patience Internet Editor & NY Dep. Bureau Chief the451.com | wap.the451.com T: 212 460 7131 M: 917 312 5712 F: 413 826 8217 nick.patience@the451.com