[dns-operations] DNS prefetching, DLV and cheap NAT router state table overflow

George Barwood george.barwood at blueyonder.co.uk
Wed Sep 22 05:46:28 UTC 2010

----- Original Message ----- 
From: "Florian Weimer" <fw at deneb.enyo.de>
To: <dns-operations at mail.dns-oarc.net>
Sent: Wednesday, September 22, 2010 6:05 AM
Subject: [dns-operations] DNS prefetching,DLV and cheap NAT router state table overflow

> I've noticed that some time after switching on my home workstation and
> doing a bit web browsing, DNS resolution ceases to work for a minute
> or two.  Unbound (which runs locally and starts from a cold cache)
> shows a growing request list during that time.  Many of the requests
> are triggered by DNS prefetching, and cause subsequent DLV, A, AAAA
> and NS requests which are related to Unbound's hardening features and
> only indirectly caused by client queries.  When the phenomenon occurs,
> "dig" does not work, either, with or without DNSSEC, both from the
> workstation and other machines behind the same NAT router.  The DNS
> proxy on the NAT router ceases to work, too.
> I suspect that this might be caused by state table overflow in the
> cheap NAT box (an AVM Fritzbox 7390, which is supposed to forward
> non-proxied DNS requests unmolested).  Existing UDP flows continue to
> work fine.  I have yet to see if switching of source port
> randomization improves things.

Yes, I think that's a good hypothesis, at least that there is a problem with
the NAT box ( it could be various things besides state table overflow ).
I have seen quite a several failures with different NAT boxes when operating a
local resolver. Generally they go away (for a time) when the box is reset.
As you say, it's generally quite hard to delve into these boxes to see what is going on.

> Has anybody else seen this behavior?  It is a bit difficult to
> attribute it to the NAT router because it's a black box for me right
> now.  It could also be some sort of DoS or enumeration protection in a
> transparent DNS proxy at the ISP (1&1 reselling VDSL from Deutsche
> Telekom).

I doubt it is the ISP, more likely to simply be the NAT box failing
or hitting some kind of limit.


> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list