First I would like to note I am new to the list and group. It's nice to be here. Second, since Monday, March 24th at approx 1am we have been suffering from "odd" DNS traffic to our two primary DNS servers. The odd traffic has increased our bandwidth utilization by about 20 Mbps, which is obviously putting a hurting on our network and our DNS servers. I know this must also be affecting other networks, and if anything the root servers. If anyone has any suggestions, etc, they would be much appreciated. Thank you, Michael Mannella Support Team Synergy Networks, Inc. Here are the symptoms: ============================================ The odd traffic started with the root servers, namely (a-m).gtld-servers.net . Most of the traffic is still coming from them, but other servers have also started sending us this odd traffic. We have 3 dns servers, only two are being affected, they are our Primary and Secondary servers that are listed with Network Solutions. The third server (that is not being affected) is not listed with NetSol and has no DNS records setup in it. It is strictly being used for lookups. The odd traffic is listed as a "DNS Spoof attempt" on our firewall. The odd traffic looks like this: Rcv 192.48.79.30 0cbb R Q [0084 A NOERROR] (8)Îҵĵ绰(3)COM(0) UDP response info at 01ADC8BC Socket = 380 Remote addr 192.48.79.30, port 53 Time Query=147367, Queued=0, Expire=0 Buf length = 0x0200 (512) Msg length = 0x010e (270) Message: XID 0x0cbb Flags 0x8400 QR 1 (response) OPCODE 0 (QUERY) AA 1 TC 0 RD 0 RA 0 Z 0 RCODE 0 (NOERROR) QCOUNT 0x1 ACOUNT 0x1 NSCOUNT 0xd ARCOUNT 0x0 Offset = 0x000c, RR count = 0 Name "(8)Îҵĵ绰(3)COM(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: Offset = 0x001e, RR count = 0 Name "[C00C](8)Îҵĵ绰(3)COM(0)" TYPE A (1) CLASS 1 TTL 300 DLEN 4 DATA 198.41.1.35 AUTHORITY SECTION: Offset = 0x002e, RR count = 0 Name "[C015](3)COM(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 20 DATA (1)g(12)gtld-servers(3)net(0) Offset = 0x004e, RR count = 1 Name "[C015](3)COM(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 4 DATA (1)h[C03C](12)gtld-servers(3)net(0) Offset = 0x005e, RR count = 2 Name "[C015](3)COM(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 4 DATA (1)d[C03C](12)gtld-servers(3)net(0) Offset = 0x006e, RR count = 3 Name "[C015](3)COM(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 4 DATA (1)j[C03C](12)gtld-servers(3)net(0) Offset = 0x007e, RR count = 4 Name "[C015](3)COM(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 4 DATA (1)i[C03C](12)gtld-servers(3)net(0) Offset = 0x008e, RR count = 5 Name "[C015](3)COM(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 4 DATA (1)l[C03C](12)gtld-servers(3)net(0) Offset = 0x009e, RR count = 6 Name "[C015](3)COM(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 4 DATA (1)b[C03C](12)gtld-servers(3)net(0) Offset = 0x00ae, RR count = 7 Name "[C015](3)COM(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 4 DATA (1)e[C03C](12)gtld-servers(3)net(0) Offset = 0x00be, RR count = 8 Name "[C015](3)COM(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 4 DATA (1)a[C03C](12)gtld-servers(3)net(0) Offset = 0x00ce, RR count = 9 Name "[C015](3)COM(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 4 DATA (1)k[C03C](12)gtld-servers(3)net(0) Offset = 0x00de, RR count = 10 Name "[C015](3)COM(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 4 DATA (1)f[C03C](12)gtld-servers(3)net(0) Offset = 0x00ee, RR count = 11 Name "[C015](3)COM(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 4 DATA (1)c[C03C](12)gtld-servers(3)net(0) Offset = 0x00fe, RR count = 12 Name "[C015](3)COM(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 4 DATA (1)m[C03C](12)gtld-servers(3)net(0) ADDITIONAL SECTION: The DNS server encountered an invalid domain name in a packet from 192.48.79.30. The packet is rejected.
participants (1)
-
Support Team