[dns-operations] DNS prefetching, DLV and cheap NAT router state table overflow
george.barwood at blueyonder.co.uk
Wed Sep 22 05:46:28 UTC 2010
----- Original Message -----
From: "Florian Weimer" <fw at deneb.enyo.de>
To: <dns-operations at mail.dns-oarc.net>
Sent: Wednesday, September 22, 2010 6:05 AM
Subject: [dns-operations] DNS prefetching,DLV and cheap NAT router state table overflow
> I've noticed that some time after switching on my home workstation and
> doing a bit web browsing, DNS resolution ceases to work for a minute
> or two. Unbound (which runs locally and starts from a cold cache)
> shows a growing request list during that time. Many of the requests
> are triggered by DNS prefetching, and cause subsequent DLV, A, AAAA
> and NS requests which are related to Unbound's hardening features and
> only indirectly caused by client queries. When the phenomenon occurs,
> "dig" does not work, either, with or without DNSSEC, both from the
> workstation and other machines behind the same NAT router. The DNS
> proxy on the NAT router ceases to work, too.
> I suspect that this might be caused by state table overflow in the
> cheap NAT box (an AVM Fritzbox 7390, which is supposed to forward
> non-proxied DNS requests unmolested). Existing UDP flows continue to
> work fine. I have yet to see if switching of source port
> randomization improves things.
Yes, I think that's a good hypothesis, at least that there is a problem with
the NAT box ( it could be various things besides state table overflow ).
I have seen quite a several failures with different NAT boxes when operating a
local resolver. Generally they go away (for a time) when the box is reset.
As you say, it's generally quite hard to delve into these boxes to see what is going on.
> Has anybody else seen this behavior? It is a bit difficult to
> attribute it to the NAT router because it's a black box for me right
> now. It could also be some sort of DoS or enumeration protection in a
> transparent DNS proxy at the ISP (1&1 reselling VDSL from Deutsche
I doubt it is the ISP, more likely to simply be the NAT box failing
or hitting some kind of limit.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
More information about the dns-operations