[dns-operations] DNS prefetching, DLV and cheap NAT router state table overflow

George Michaelson ggm at apnic.net
Wed Sep 22 05:59:23 UTC 2010


This happens on dynalink 1320 class home ADSL/Nat boxes.

safari and the newer chrome prefetch flooded DNS.

installing a local unbound with cached state limited this.

A typical scenario is:
	2 mac users
	each has a 'open 10 panes' command eg tabset
	each then forces 
		10 panes of DNS
			sub-DNS for ads, popups, other content
	20-30+ simultaneous DNS emit through the NATbox


On 22/09/2010, at 3:05 PM, Florian Weimer wrote:

> I've noticed that some time after switching on my home workstation and
> doing a bit web browsing, DNS resolution ceases to work for a minute
> or two.  Unbound (which runs locally and starts from a cold cache)
> shows a growing request list during that time.  Many of the requests
> are triggered by DNS prefetching, and cause subsequent DLV, A, AAAA
> and NS requests which are related to Unbound's hardening features and
> only indirectly caused by client queries.  When the phenomenon occurs,
> "dig" does not work, either, with or without DNSSEC, both from the
> workstation and other machines behind the same NAT router.  The DNS
> proxy on the NAT router ceases to work, too.
> I suspect that this might be caused by state table overflow in the
> cheap NAT box (an AVM Fritzbox 7390, which is supposed to forward
> non-proxied DNS requests unmolested).  Existing UDP flows continue to
> work fine.  I have yet to see if switching of source port
> randomization improves things.
> Has anybody else seen this behavior?  It is a bit difficult to
> attribute it to the NAT router because it's a black box for me right
> now.  It could also be some sort of DoS or enumeration protection in a
> transparent DNS proxy at the ISP (1&1 reselling VDSL from Deutsche
> Telekom).
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list