[dns-operations] Random question about Google resolver behaviour and long-lived TCP sessions
Jake Zack
jake.zack at cira.ca
Thu Sep 26 20:51:50 UTC 2019
I'm trying to debug an issue and digging deeply into PCAP data on one of my authoritative DNS servers for TLD.
Specifically, I'm looking at TCP, and one of the things I'm measuring is average length of TCP sessions.
For the most part, the output seems to be in the range that one might expect...
2019-09-18 15:25:12.534091 - Close connection with 173.252.127.52.45455 - duration: 0.0403399467468262 seconds
2019-09-18 15:25:12.548596 - Close connection with 69.171.251.10.37785 - duration: 0.0552659034729004 seconds
2019-09-18 15:25:12.633225 - Close connection with 201.249.172.71.34289 - duration: 0.0829939842224121 seconds
2019-09-18 15:25:12.633796 - Close connection with 201.249.172.71.55488 - duration: 0.0827949047088623 seconds
2019-09-18 15:25:12.708638 - Close connection with 68.29.64.228.56799 - duration: 0.0311019420623779 seconds
2019-09-18 15:25:12.708749 - Close connection with 68.29.64.228.58025 - duration: 0.029994010925293 seconds
But I occasionally discover outliers where the TCP sessions last much longer...and they're all (every single one of them over a 3 hour period) owned by Google...
2019-09-18 15:25:56.142138 - Close connection with 66.249.66.130.50925 - duration: 30.0402970314026 seconds *** OVER5
2019-09-18 15:25:56.809966 - Close connection with 66.249.66.149.49004 - duration: 30.0410430431366 seconds *** OVER5
2019-09-18 15:25:57.261133 - Close connection with 66.249.66.87.42293 - duration: 30.0400409698486 seconds *** OVER5
2019-09-18 15:25:58.926359 - Close connection with 66.249.66.212.40001 - duration: 30.0402669906616 seconds *** OVER5
2019-09-18 15:25:59.792171 - Close connection with 66.249.66.44.56640 - duration: 30.0407900810242 seconds *** OVER5
2019-09-18 15:26:01.443644 - Close connection with 66.249.66.202.49679 - duration: 30.040363073349 seconds *** OVER5
2019-09-18 15:26:02.400458 - Close connection with 66.249.66.92.63989 - duration: 30.0400891304016 seconds *** OVER5
2019-09-18 15:26:02.607956 - Close connection with 66.249.66.134.56630 - duration: 30.0398778915405 seconds *** OVER5
2019-09-18 15:26:02.961079 - Close connection with 66.249.66.86.52236 - duration: 30.0424818992615 seconds *** OVER5
2019-09-18 15:26:04.970860 - Close connection with 66.249.66.208.48889 - duration: 30.0415859222412 seconds *** OVER5
2019-09-18 15:26:05.815438 - Close connection with 66.249.66.61.36638 - duration: 38.813982963562 seconds *** OVER5
2019-09-18 15:26:06.594296 - Close connection with 66.249.66.43.62136 - duration: 33.7078130245209 seconds *** OVER5
2019-09-18 15:26:06.927392 - Close connection with 66.249.66.85.35095 - duration: 30.0403559207916 seconds *** OVER5
2019-09-18 15:26:07.825000 - Close connection with 66.249.66.199.49335 - duration: 30.0406250953674 seconds *** OVER5
2019-09-18 15:26:08.017335 - Close connection with 66.249.66.217.48327 - duration: 30.0403158664703 seconds *** OVER5
2019-09-18 15:26:08.721902 - Close connection with 66.249.66.94.55841 - duration: 30.0409507751465 seconds *** OVER5
2019-09-18 15:26:10.040823 - Close connection with 66.249.66.45.55152 - duration: 30.0403800010681 seconds *** OVER5
2019-09-18 15:26:16.919386 - Close connection with 66.249.66.60.42043 - duration: 30.0408978462219 seconds *** OVER5
In any case, I've ruled out this being the cause of the issue I was investigating, but it still seems odd that no other software/organizations are behaving in the same way.
So I guess the question for the OARC list would be...do you see this same kind of behaviour from Google? And the question for Google is...what am I missing? What's the need for this?
Thanks all,
-Jacob Zack
DNS Architect - CIRA (.CA TLD)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190926/9fcaaa77/attachment.html>
More information about the dns-operations
mailing list