[dns-operations] Getting rid of ISP's recursive DNS servers? (Was: Eircom "DNS Attacks" ?

Peter Dambier peter at peter-dambier.de
Mon Jul 20 10:00:18 UTC 2009

It keeps changing.

I have seen days when 90% of the queries I logged has been the local exim
trying to resolve spammers trying to dump garbadge.

I have seen recently 90% <random>.good.name when they tried to poison our
cache. The <random> part successfully destroyed the cache of my isp.


; <<>> DiG 9.4.2 <<>> -t any ns6.cesidio.net @
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49546
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;ns6.cesidio.net.               IN      ANY

ns6.cesidio.net.        60      IN      A

;; Query time: 200 msec
;; WHEN: Mon Jul 20 11:28:15 2009
;; MSG SIZE  rcvd: 49

That looks good but I remember they took more than 3 seconds to

It looks like dtag.de, I guess they have some 80% of the big cake,
have only 16 resolvers for their customers in germany.

I remember the bucket I get my ip-address from used to be some 32K
so I guess some 8K to 24K customers or maybe more than 64K
clients behind a NAT do share one cache. I don't know how big
that cache is but I am sure it does overflow.

When I started running my own resolvers a couple of years ago I
sped up my browsers dramatically.

I have seen repeatedly at friends locations that running their
own resolvers did speed up their browsers dramatically.

It is mostly friends from the ccc Chaos Computer Club or the
Pirates Party, all of them do know where to look for the powerswitch
of a computer :)

>From what we have seen SoHo most likely will tip the scale towards
browsers. Servers will tip the scale towards MX.

Resolvers at colocations are by far faster and more reliable than
resolvers at isps for SoHo users. They don't need to search so
much memory before sending a query.


Stephane Bortzmeyer wrote:
> On Sun, Jul 19, 2009 at 10:06:15PM -0500,
>  Frank Bulk <frnkblk at iname.com> wrote 
>  a message of 51 lines which said:
>> To your footnote, does anyone have supporting evidence that web
>> browsing is the biggest use of DNS?
> We have ample evidence of the opposite. For instance, almost half of
> the DNS requests to the .FR authoritative name servers have query type
> MX.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
ULA= fd80:4ce1:c66a::/48

More information about the dns-operations mailing list