[dns-operations] Odd MX queries
Daniel Stirnimann
daniel.stirnimann at switch.ch
Mon Mar 11 16:12:13 UTC 2013
Hi Vernone
>> Has anyone an idea what the source of this traffic pattern is? It's also
>> interesting to note that quite a lot of 2nd-level queries result in
>> NXDOMAIN responses.
>
> Which RRL implementation are you using? If it is the BIND9 RRL
> implementation, then how are the NXDOMAIN responses evading that limit?
I'm using the current BIND9 9.8.4 RPZ+RRL patch. It's completely evading
DNS-RRL on the tld-nameserver where a lot of different query-names and
the RCODE is NOERROR.
On the 2nd-level name-server the MX query rate is only about 120 qps. I
guess it's too few queries to trigger my "generous" DNS-RRL config. I
have response-per-second 20.
For example, within 15 minutes 81 different query-names are sent. The
domain which is queried the most is used 186 times within 15 minutes.
That's way below the DNS-RRL config threshold. However, it's nothing
which concerns me. As said, the abusive traffic on the 2nd-level
names-server is quite low. On the tld name-server it was different.
Sorry, that I was not clear on that.
Daniel
More information about the dns-operations
mailing list