[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS

Jim Martin jrmii at isc.org
Tue Feb 10 21:44:18 UTC 2015


Bert,
	This is certainly not our intention for legitimate queries, but as others have stated, very likely a side effect of running RRL. Are you seeing this anytime you get 5 NXDOMAINs/s (on any query), or anytime you get 5 NXDOMAINs/s for the same query? If it’s only when you’re asking the exact same question over and over (as your example code indicates), it may not be easily distinguishable from attack behaviour.

	I’ll have some of my team look into it and get back to you. Thanks for bringing this up!

	- Jim

> On Feb 10, 2015, at 7:02 PM, bert hubert <bert.hubert at netherlabs.nl> wrote:
> 
> Hi everybody,
> 
> Recently at a large deployment, we ran into f.root-servers.net returning
> TC=1 to all our queries. We took this up with ISC who quickly informed us
> that this is a setting they run with if you exceed more than 5 NXDOMAIN
> responses/s.
> 
> The installation in question services millions of subscribers, and sadly
> gets a lot of silly queries which leak to the root. We're unsure how to
> stay below 5 NXDOMAINs/s permanently.
> 
> You can reproduce this behaviour like this:
> 
> $ for a in {1..10}; do dig www.no-such-tld-$a -4 @f.root-servers.net ; done > log
> $ grep -E 'TCP|status:' l
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54154
> (...)
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4798
> ;; Truncated, retrying in TCP mode.
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1549
> 
> We've since tried to curtail our queries to the root severly, but we still
> get TC=1 responses a lot, which slows down our resolution.
> 
> We shared our concerns with ISC, but it might be good to have a broader
> discussion on if it makes sense to set the bar so very low.
> 
> Your thoughts would be appreciated!
> 
> 	Bert
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150211/35df9bbb/attachment.sig>


More information about the dns-operations mailing list