[dns-operations] Who Ignores TTLs ?
roy at dnss.ec
Tue Feb 22 09:04:22 UTC 2011
On Feb 22, 2011, at 1:13 AM, Livingood, Jason wrote:
>> 2) Incredible bursts
>> We very often see a massive amount of request from a single address, for
>> a single domain name. Sometimes 200-300 queries within a few hundred
>> milliseconds (with an average delta of 3 milliseconds between queries).
>> The load vaporizes as soon as the resolver receives the first response we
>> send. This is not a DDoS, and normally, this will be hidden in the noise
>> and thunder of the regular load.
> Wow... It'd be interesting to determine what resolver software is in use
> when you see this.
We see it from different independent code bases, it seems.
For each burst, we see different, random dns identifiers. So it's really the dns software that repeats it. Sometimes port numbers are incremental, sometimes, its random. Sometimes EDNS is set. It's qname and qtype independent. Most of these resolvers are regular queriers, i.e. we see a stable steady load with an expected diurnal and weekly pattern. Closed resolvers.
However, though the dns software generates the queries, since it seems vendor independent, we think it might be a network 'hickup', where all outgoing queries are stalled and buffered for a few seconds (minutes) and than flushed through. I remember in early 2003 I noticed something similar when I changed a firewall ruleset, where the moment I applied the new rule-set, traffic was stalled and buffered for over a minute.
In general, iterative resolvers get aggressive when they're deprived of responses.
More information about the dns-operations