-----Original Message----- From: E.B. Dreger [mailto:eddy+public+spam@noc.everquick.net] Sent: Tuesday, January 22, 2002 12:51 AM To: just me Cc: Miquel van Smoorenburg; nanog@merit.edu Subject: Re: DNS DOS increasing? That's not the problem. It's ill-behaved clients that ignore TTL and query every 10s no matter what. See some of James Smith's posts... ----- Methinks I have been misunderstood or I have obfuscated my own point... The dns server is set to give a 10 second TTL to the dns client. The entry ages out in 10 seconds, so the client (following expected practice) ages the entry out. 15 seconds later, when they click on the next button on the web page (for example), they have to go get the IP again. This the DOS (DDOS?) like behavior. Sure the dns client is hammering the dns server, but the server is telling it to by giving out an absurdly short TTL... The server is ASKING FOR IT by setting it's TTL to 10 seconds. The client can't help it, it is just doing what it has been told. Why It Does It This Way The mechanism this dns server uses for selecting which IP to respond with is a ping to check upstream connectivity. This box pings constantly, looking for a fail. When link failure is detected, the box starts feeding DNS queries with responses from the other links subnet. The short ttl ensures that dns clients age out the info fast enough to make a near seamless failover to the other link. Since the box is authoritative for the zone, and has interfaces in more than one subnet or provider, the failure of one link means that the normal dns mechanism of going to the next responsive dns server points users to the remaining good link, and the box obliges by serving out responses that point the client back down the good link. James H. Smith II NNCDS NNCSE Systems Engineer The Presidio Corporation I speak for myself, and that gets me into enough trouble. (back to lurk mode...)