[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency

David C Lawrence tale at akamai.com
Wed Dec 31 15:09:57 UTC 2014


Jeroen Massar writes:
> A host of mine is receiving a lot of requests towards
> applicast.ga.sony.net, eg, every minute when that TV Is on:
...
> and so on and on.... are these not because of stale DNS data?

I honestly don't know, but it seems unlikely.  I'll not claim its
impossible though.  Or, more aptly, it seems obvious that SOMEONE has
stale data somewhere, but it is unlikely that it is our resolvers with
the serve-stale feature.

Knowing the feature intimately, I can tell you a couple of other things:

* The name applicast.ga.sony.net is resolving just fine, so even if it
  were slow to resolve the caches would get the current authoritative
  value and use that going forward.

* The length of time for which the resolver will continue to use stale
  data is itself capped.  It is the "canary in the coal mine" --
  monitored to warn of a DNS problem before it really blows up.  If
  the problem can't be fixed within a reasonable amount of time, then
  the stale entry is purged anyway and things start really failing.

You didn't say how long that particular example has been an issue, but
it sounds like you've been seeing it for longer than the hard cap.

Also, the one IP address you showed that is doing it is not an Akamai
host.  We don't currently run a customer-facing resolver service so
our serve-stale feature for internal operations would not present
stale DNS data to an external client.

I'll try to have someone look into what's going on, but it'll be slow
at this particular time of year.  The best people for it might well be
on winter holiday.  Right now I'm more suspicious that someone
embedded IP addresses somewhere, not that stale DNS data is being
used.



More information about the dns-operations mailing list