[dns-operations] Google DNS used as amplification - aren't they caching?
Paul Wouters
paul at nohats.ca
Wed Aug 6 15:10:33 UTC 2014
Hi,
My nohats.ca domain has been under a couple of weeks long ANY attack. I
assume spoofed IPs querying open resolvers that in have their upstream
DNS send me queries.
The vast majority of queries are coming from Google's many IP addresses.
While I understand it must be an impressive ANYCAST network, I am still
surprised to see millions of queries coming for data that has a TTL=1d
It is as if Google is hardly caching anything.....
The top 30 queries in the last two weeks, based on logging at most 1q/s:
187695 74.125.181.87
187704 74.125.74.84
188406 74.125.181.80
188694 74.125.181.83
191138 74.125.181.86
191305 74.125.17.208
191528 74.125.17.209
191619 74.125.17.212
191856 74.125.17.211
192015 74.125.17.210
198712 2a01:04f8:0000:a102:0000:0000:0add:9999
207683 188.40.24.98
231083 116.9.94.68
235729 212.75.210.82
252895 211.40.17.226
299526 2a01:04f8:0000:a0a1:0000:0000:0add:1010
308938 78.47.119.230
309720 109.86.0.212
354336 188.40.25.2
357881 2a01:04f8:0000:a111:0000:0000:0add:9898
450885 74.125.73.21
451278 74.125.73.22
451716 74.125.73.23
472529 74.125.73.18
472915 74.125.73.17
473267 74.125.73.19
474699 74.125.73.20
475056 74.125.73.16
690838 213.142.46.116
872689 213.142.46.115
It seems that the nsd ratelimits to send TC=1 isn't working well either
to reduce the incoming amount of UDP queries.
Why does google dns seems so inefficient at caching?
Paul
More information about the dns-operations
mailing list