[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency
jeroen at massar.ch
Fri Jan 2 01:17:47 UTC 2015
On 2014-12-31 16:09, David C Lawrence wrote:
> Jeroen Massar writes:
>> A host of mine is receiving a lot of requests towards
>> applicast.ga.sony.net, eg, every minute when that TV Is on:
>> and so on and on.... are these not because of stale DNS data?
> I honestly don't know, but it seems unlikely. I'll not claim its
> impossible though. Or, more aptly, it seems obvious that SOMEONE has
> stale data somewhere, but it is unlikely that it is our resolvers with
> the serve-stale feature.
Someone is the right word. Hard to determine where that is though and
why it is happening at multiple distinct sources.
> Knowing the feature intimately, I can tell you a couple of other things:
> * The name applicast.ga.sony.net is resolving just fine, so even if it
> were slow to resolve the caches would get the current authoritative
> value and use that going forward.
> * The length of time for which the resolver will continue to use stale
> data is itself capped. It is the "canary in the coal mine" --
> monitored to warn of a DNS problem before it really blows up. If
> the problem can't be fixed within a reasonable amount of time, then
> the stale entry is purged anyway and things start really failing.
> You didn't say how long that particular example has been an issue, but
> it sounds like you've been seeing it for longer than the hard cap.
4 months and more at least.
> Also, the one IP address you showed that is doing it is not an Akamai
> host. We don't currently run a customer-facing resolver service so
> our serve-stale feature for internal operations would not present
> stale DNS data to an external client.
> I'll try to have someone look into what's going on, but it'll be slow
> at this particular time of year. The best people for it might well be
> on winter holiday. Right now I'm more suspicious that someone
> embedded IP addresses somewhere, not that stale DNS data is being
A colleague of you contacted me, I am providing him with more details so
he can dig into it.
More information about the dns-operations