[dns-operations] Who Ignores TTLs ?

[Florian Weimer]

* Roy Arends:

> The bulk of caching resolvers will adhere to TTL, but not the exact
> value. Mostly, we see resolvers come back slightly before TTL
> expires. Don't know the exact error rate yet, will have to
> investigate.

I expect that more resolvers will be deployed which implement
prefetching of frequently queried names, so you'll see more resolvers
which come back before the TTL expires.

> We very often see a massive amount of request from a single address,
> for a single domain name. Sometimes 200-300 queries within a few
> hundred milliseconds (with an average delta of 3 milliseconds
> between queries). The load vaporizes as soon as the resolver
> receives the first response we send. This is not a DDoS, and
> normally, this will be hidden in the noise and thunder of the
> regular load.

I would expect such behavior for a really popular name if the resolver
does not collapse queries with an identical question section.

> Due to caches capping negative caching to a few minutes (independent
> of a higher ttl in the SOA), we see a disproportionate query rate
> for names that do not exist. In theory, there are many more names
> that do not exist compared to those that do exist, however in
> practice (tested in november 2009) using one day of query-load on a
> single nameserver, the set of queries for unique existing names is
> larger than the set of queries for unique non-existing names. The
> reason I mention it here is that caches can be configure to override
> negative TTL.

Isn't it more likely that someone (or several someones) run dictionary
attacks against your zone?

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99