DNS requests and Bandwidth
Hello List. We have one domain setup on our server dns but there is no website or email configured .. Recently we've noticed some increase in server Bandwidth usage and after using tcpdump, we were able to find the problem which is a DNS server on the Internet sending many queries per second to resolve MX , A records for that domain which is not existing of course but it keeps asking. One way was to block requests from that DNS IP but that was not practicle as many users on that DNS won't be able to communicate with our server. so What is the best way to prevent DNS queries consuming bandwidth. tcpdump output extract: 14:40:09.407336 212.26.72.85.34997 > ns.MyNameServer.net.domain: 51794 MX? MyDomain.com. (29)(DF) 14:40:09.411707 212.26.72.85.34997 > ns.MyNameServer.net.domain: 14233 A? MyDomain.com. (29) (DF) 14:40:09.415880 212.26.72.85.34997 > ns.MyNameServer.net.domain: 39317 MX? MyDomain.com. (29) (DF) 14:40:09.419827 212.26.72.85.34997 > ns.MyNameServer.net.domain: 49503 A? MyDomain.com. (29) (DF) 14:40:09.423700 212.26.72.85.34997 > ns.MyNameServer.net.domain: 29362 A? MyDomain.com. (29) (DF) 14:40:09.426963 212.26.72.85.34997 > ns.MyNameServer.net.domain: 16692 A? MyDomain.com. (29) (DF) 14:40:09.430590 212.26.72.85.34997 > ns.MyNameServer.net.domain: 65288 A? MyDomain.com. (29) (DF) 14:40:09.434350 212.26.72.85.34997 > ns.MyNameServer.net.domain: 1341 A? MyDomain.com. (29) (DF) 14:40:09.438163 212.26.72.85.34997 > ns.MyNameServer.net.domain: 57932 A? MyDomain.com. (29) (DF) --- -aljuhani
aljuhani wrote:
Hello List.
We have one domain setup on our server dns but there is no website or email configured ..
Recently we've noticed some increase in server Bandwidth usage and after using tcpdump, we were able to find the problem which is a DNS server on the Internet sending many queries per second to resolve MX , A records for that domain which is not existing of course but it keeps asking.
One way was to block requests from that DNS IP but that was not practicle as many users on that DNS won't be able to communicate with our server.
so What is the best way to prevent DNS queries consuming bandwidth.
tcpdump output extract:
14:40:09.407336 212.26.72.85.34997 > ns.MyNameServer.net.domain: 51794 MX? MyDomain.com. (29)(DF) 14:40:09.411707 212.26.72.85.34997 > ns.MyNameServer.net.domain: 14233 A? MyDomain.com. (29) (DF) 14:40:09.415880 212.26.72.85.34997 > ns.MyNameServer.net.domain: 39317 MX? MyDomain.com. (29) (DF) 14:40:09.419827 212.26.72.85.34997 > ns.MyNameServer.net.domain: 49503 A? MyDomain.com. (29) (DF) 14:40:09.423700 212.26.72.85.34997 > ns.MyNameServer.net.domain: 29362 A? MyDomain.com. (29) (DF) 14:40:09.426963 212.26.72.85.34997 > ns.MyNameServer.net.domain: 16692 A? MyDomain.com. (29) (DF) 14:40:09.430590 212.26.72.85.34997 > ns.MyNameServer.net.domain: 65288 A? MyDomain.com. (29) (DF) 14:40:09.434350 212.26.72.85.34997 > ns.MyNameServer.net.domain: 1341 A? MyDomain.com. (29) (DF) 14:40:09.438163 212.26.72.85.34997 > ns.MyNameServer.net.domain: 57932 A? MyDomain.com. (29) (DF)
As happy as I'd be to go and yell DoS!! (I love that word)... there are other possibilities here. As an example, it is more than possible someone is trying to send mail to you, and that their server is broke so that it keeps re-trying forever in a DoS fashion (give me a buck for every time that happened to me...). Are you announcing this domain anywhere else? The A records are a bit more difficult to explain (but it's certainly possible), but I do ask you this.. if it's just one server.. did you try contacting them? That's probably a lot easier than any other course of action you can follow-up with. It could be a simple matter of a misconfiguration. You could also be a secondary victim of someone else's attack.. but if it's just one server.. try getting them on the horn.. then their uplink, and then just add them to your ACL.. sometimes there are no other options. Does this bandwidth consumption bother you, though? Or is this just out of curiosity? Gadi.
On Wed, 11 May 2005, Gadi Evron wrote:
14:40:09.407336 212.26.72.85.34997 > ns.MyNameServer.net.domain: 51794 MX? MyDomain.com. (29)(DF) 14:40:09.411707 212.26.72.85.34997 > ns.MyNameServer.net.domain: 14233 A? MyDomain.com. (29) (DF) 14:40:09.415880 212.26.72.85.34997 > ns.MyNameServer.net.domain: 39317 MX? MyDomain.com. (29) (DF) 14:40:09.419827 212.26.72.85.34997 > ns.MyNameServer.net.domain: 49503 A? MyDomain.com. (29) (DF) 14:40:09.423700 212.26.72.85.34997 > ns.MyNameServer.net.domain: 29362 A? MyDomain.com. (29) (DF) 14:40:09.426963 212.26.72.85.34997 > ns.MyNameServer.net.domain: 16692 A? MyDomain.com. (29) (DF) 14:40:09.430590 212.26.72.85.34997 > ns.MyNameServer.net.domain: 65288 A? MyDomain.com. (29) (DF) 14:40:09.434350 212.26.72.85.34997 > ns.MyNameServer.net.domain: 1341 A? MyDomain.com. (29) (DF) 14:40:09.438163 212.26.72.85.34997 > ns.MyNameServer.net.domain: 57932 A? MyDomain.com. (29) (DF)
As happy as I'd be to go and yell DoS!! (I love that word)... there are other possibilities here.
The one time this happened to a DNS server for which I was responsible, it was a misconfigured Windows 2000 server with Active Directory installed. "myNameServer.net" is a generic enough domain name that someone might have used it as an example in a HOWTO document on setting up AD. (just a thought, FWIW) -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / sjsobol@JustThe.net / PGP: 0xE3AE35ED "The wisdom of a fool won't set you free" --New Order, "Bizarre Love Triangle"
On Wed, May 11, 2005 at 07:30:35PM +0300, aljuhani wrote:
Recently we've noticed some increase in server Bandwidth usage and after using tcpdump, we were able to find the problem which is a DNS server on the Internet sending many queries per second to resolve MX , A records for that domain which is not existing of course but it keeps asking.
One way was to block requests from that DNS IP but that was not practicle as many users on that DNS won't be able to communicate with our server.
so What is the best way to prevent DNS queries consuming bandwidth.
Stop running a DNS server? All joking aside, I've seen similar problems in cases where there's a lame delegation (with certain clients asking over and over for the same records). If "mydomain.com" is a domain which is pointed to your nameserver from the authoritative servers for that TLD, but which your nameserver is not authoritative for, you may want to setup a dummy zone.
tcpdump output extract:
14:40:09.407336 212.26.72.85.34997 > ns.MyNameServer.net.domain: 51794 MX? MyDomain.com. (29)(DF) 14:40:09.411707 212.26.72.85.34997 > ns.MyNameServer.net.domain: 14233 A? MyDomain.com. (29) (DF)
If your domains aren't "mynameserver.net" or "mydomain.com", perhaps you'd get a more helpful response by including the actual hostnames / domains in question? You don't gain much by stripping this information, and it's much easier for people to figure out what might be going on if you include the actual domain(s). I'm assuming that if you're running a publicly accessible nameserver which is serving names for these domains, it's probably not sooper sekrit information. Also, if you MUST use a bogus domain, at least use a bogus domain reserved for that purpose (like example.com) or something ending in ".invalid". w
On Wed, May 11, 2005 at 20:33, Will Yardley wrote:
If your domains aren't "mynameserver.net" or "mydomain.com", perhaps you'd get a more helpful response by including the actual hostnames / domains in question? You don't gain much by stripping this information, and it's much easier for people to figure out what might be going on if you include the actual domain(s). I'm assuming that if you're running a publicly accessible nameserver which is serving names for these domains, it's probably not sooper sekrit information.
Also, if you MUST use a bogus domain, at least use a bogus domain reserved for that purpose (like example.com) or something ending in ".invalid".
First. thanks all for the prompt responses to my message. Second. The incident actually started late 2003 and the magnitude of DNS requests peaked our bandwidth usage to 170 GB which was a huge increase when compared to normal average bandwidth. Why it happened? There was a worm that is still crawling around the internet that sends mega emails to anyuser@mxserver.com ; usually user@mxserver.com, recipient@mxserver.com, and many others. During 2004 the worm was still there but then it died down but now it is up again ... so what I think is that those IPs attacking our DNS server are actually PCs infected by that worm .. It ends up as a DoS type attack as thousands of PCs around the world requesting DNS records from our nameservers. Now I changed the DNS server to a dynamic DNS provider, and I am pointing the MX record to my home server sitting on a DSL connection which does not annoy much bandwidth wise and I've started creating SMTP rules that blocks every address except webmaster@mxserver.com and info@mxserver.com .. If you want to see the magnitude of attacks you can search google for mxserver.com: http://groups-beta.google.com/groups?q=%22mxserver.com%22&hl=en&lr=&sa=N&tab =wg once again thanks all for your help. -aljuhani
participants (4)
-
aljuhani -
Gadi Evron -
Steven J. Sobol -
Will Yardley