[dns-operations] Odd MX queries

Daniel Stirnimann daniel.stirnimann at switch.ch
Mon Mar 11 18:40:10 UTC 2013


On 11.03.13 18:07, Vernon Schryver wrote:
>> From: Daniel Stirnimann <daniel.stirnimann at switch.ch>
> 
>> I'm using the current BIND9 9.8.4 RPZ+RRL patch. It's completely evading
>> DNS-RRL on the tld-nameserver where a lot of different query-names and
>> the RCODE is NOERROR.
> 
> All of the domains in the first list in your previous message 
> give me NXDOMAIN.
> 
> How is it evading the the BIND9 RRL referral limit on your TLD server?

Good question.

One error I made is that there are lots of different IP addresses
sending these queries. The IP address 203.45.217.122 which I referred to
in my original post sends about 50 qps but there are roughly 5800 other
IPs sending this traffic as well. Some only one query within 15 minute
but most something between 1 qps and 40 qps.

The few IP addresses which send more then my threshold
(response-per-second 20) are rate-limited.

When I looked at the DSC rcode graph it seemed like the same amount of
queries were answered. However, in fact about 10 up to 80 IPs were rate
limited at any given time.

I would have gotten a "better" rate-limiting with a lower threshold but
in the end the botnet is probably just too large.

>> For example, within 15 minutes 81 different query-names are sent. The
>> domain which is queried the most is used 186 times within 15 minutes.
>> That's way below the DNS-RRL config threshold. However, it's nothing
>> which concerns me. As said, the abusive traffic on the 2nd-level
>> names-server is quite low. On the tld name-server it was different.
> 
> Yes, 81 names/15 minutes is only about 0.1 qps.

Sorry, bad wording from myself. 81 unique query-names. The end result is
higher then 0.1 qps but still irrelevant.

Daniel



More information about the dns-operations mailing list