[dns-operations] maybe a small tcp flood

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Jun 17 13:45:07 UTC 2021


On Thu, Jun 17, 2021 at 01:47:23AM -0700, Randy Bush wrote:

> trying to understand what we are seeing, and assume other are seeing
> it too.
> 
> tcp query flood for cctlds and sec.cctlds, could be others
> being sent via popular open servers: goog, neustar, ...
> O(100)qps or higher

- What was the duration of the event (UTC time start and end)?
- Any stats on the rtype(s)?
- Any stats on the mix of qnames?
    * Repeated or distinct?
    * Extant, NODATA or NXDOMAIN?
- Any stats on the upstream client distribution?

FWIW, if it was using Neustar (formerly Verisign) public DNS, it wasn't
the DANE survey, which presently only uses Google and CloudFlare (evenly
balanced for a few of the larger TLDs) and direct queries otherwise.

To elicit TCP requests from the public DNS providers the queries would
likely have to first elicit truncated UDP replies (DNSKEY RRset, signed
denial of existence, ...).  Did you also observe the associated UDP
traffic?

-- 
    Viktor.


More information about the dns-operations mailing list