[dns-operations] DNS measurement traffic etiquette
Andreas Ott
andreas at naund.org
Thu Dec 22 02:27:29 UTC 2022
About two months ago we retired a network lab at my work by disconnecting
it from the internet, and at the time I (naively) removed from the lab
domain name all forward DNS records pointing to assets that no
longer exist. When it was still live we had forward DNS and reverse PTR
records, and in most cases these matched, further, you were most likely to
get back consistent answers on forward lookup of the reverse answer. About
a week after the closure I also had the reverse DNS records removed from
the ISP servers that were authoritative for the in-addr.arpa zones. All
caching timeouts would have long occurred by now if an entity would honor
what had been in the SOA records. If I query any old records today they do
return NXDOMAIN for me.
I did move the authoritative DNS servers to a much smaller setup thinking
with the retirement of the assets there would be less traffic asking for
them. However I am still seeing significant traffic querying forward
records of PTR answers that got deleted a long time ago. It appears that
this is "measurement" traffic that ignores getting "no" aka. NXDOMAIN as an
answer, and keeps insisting to send the same queries over and over. I
identified one "DNS labs" entity by name as one of the sources of these
queries and will attempt to contact them. Most of the other now useless
queries come from anonymous cloud compute based sources, like AWS nodes,
which have generic reverse DNS entries and don't allow identifying
the responsible party. To me it looks like the case of something being
removed from the internet for good is not accounted for when constructing
the measurement operations, if you get NXDOMAIN you interpret it as it must
be some kind of brokenness and should be back soon, so you keep asking
thousands more times until you get an answer?
What are my best options to find out who is behind all this traffic when it
comes from anonymous sources?
For how long should I expect this query traffic to continue?
Or is there a way to politely signal to the queries by any DNS parameters
that the record is now gone for good and they can stop asking, and not
something is broken that will be fixed soon?
Thanks, andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20221221/163a081e/attachment.html>
More information about the dns-operations
mailing list