[dns-operations] DNS prefetching, DLV and cheap NAT router state table overflow

bert hubert bert.hubert at netherlabs.nl
Wed Sep 22 05:35:26 UTC 2010

On Wed, Sep 22, 2010 at 07:05:09AM +0200, Florian Weimer wrote:
> "dig" does not work, either, with or without DNSSEC, both from the
> workstation and other machines behind the same NAT router.  The DNS
> proxy on the NAT router ceases to work, too.
> I suspect that this might be caused by state table overflow in the
> cheap NAT box (an AVM Fritzbox 7390, which is supposed to forward
> non-proxied DNS requests unmolested). 

I've had this happen too on "CPE" boxes that supposedly would not touch DNS.
Not specifically related to prefetching, but simply related to having "too
much dns queries in a short amount of time".

> Has anybody else seen this behavior?  It is a bit difficult to
> attribute it to the NAT router because it's a black box for me right
> now.  It could also be some sort of DoS or enumeration protection in a
> transparent DNS proxy at the ISP (1&1 reselling VDSL from Deutsche
> Telekom).

I'd blame the AVM. I've been told it runs Linux, so perhaps you could hack
into it. 

Do you have an indication of how much DNS traffic we are talking about?


More information about the dns-operations mailing list