[dns-operations] DNS prefetching, DLV and cheap NAT router state table overflow

Florian Weimer fw at deneb.enyo.de
Wed Sep 22 05:05:09 UTC 2010

I've noticed that some time after switching on my home workstation and
doing a bit web browsing, DNS resolution ceases to work for a minute
or two.  Unbound (which runs locally and starts from a cold cache)
shows a growing request list during that time.  Many of the requests
are triggered by DNS prefetching, and cause subsequent DLV, A, AAAA
and NS requests which are related to Unbound's hardening features and
only indirectly caused by client queries.  When the phenomenon occurs,
"dig" does not work, either, with or without DNSSEC, both from the
workstation and other machines behind the same NAT router.  The DNS
proxy on the NAT router ceases to work, too.

I suspect that this might be caused by state table overflow in the
cheap NAT box (an AVM Fritzbox 7390, which is supposed to forward
non-proxied DNS requests unmolested).  Existing UDP flows continue to
work fine.  I have yet to see if switching of source port
randomization improves things.

Has anybody else seen this behavior?  It is a bit difficult to
attribute it to the NAT router because it's a black box for me right
now.  It could also be some sort of DoS or enumeration protection in a
transparent DNS proxy at the ISP (1&1 reselling VDSL from Deutsche

More information about the dns-operations mailing list