[dns-operations] Resolvers seeing repeated bursts of identical queries

sthaug at nethelp.no sthaug at nethelp.no
Mon Jan 9 08:50:12 UTC 2023 

We are receiving a significant amount of query bursts on our resolvers
with the following characteristics:

- A client IP doing a burst of queries for the same name repeatedly,
very quickly.
- The query is typically an A query.
- A burst often has 50 - 100 queries for the same name within a few
milliseconds.
- All the queries within one burst have the same DNS query ID (but
different IP id and source port number).
- The same client IP producing such bursts of identical queries also
sends regular queries (one query per name, DNS query IDs vary).

Example of (part of) query burst - in this case the client sends
bursts of 84 queries within less than 1 ms:

09:24:56.593259 IP 194.19.79.131.58089 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
09:24:56.593283 IP 194.19.79.131.38426 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
09:24:56.593307 IP 194.19.79.131.56931 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
09:24:56.593346 IP 194.19.79.131.42976 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
09:24:56.593350 IP 194.19.79.131.11638 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
09:24:56.593366 IP 194.19.79.131.22476 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
...
09:24:56.594364 IP 194.19.79.131.41548 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)

followed by another burst of 84 queries in around 1.1 ms:

09:24:56.594416 IP 194.19.79.131.38426 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
09:24:56.594475 IP 194.19.79.131.42976 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
09:24:56.594501 IP 194.19.79.131.58089 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
09:24:56.594560 IP 194.19.79.131.14419 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
09:24:56.594561 IP 194.19.79.131.56931 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
09:24:56.594562 IP 194.19.79.131.18576 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
...
09:24:56.595596 IP 194.19.79.131.41232 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)

I *suspect* the bursts and the regular queries are actually produced
by different clients on the inside of a firewall with NAT - but note I
don't *know* this is the case.

Does anybody know of software / applications that would produce such
query bursts? Note that I don't believe the query bursts are caused by
L2 loops or similar, because

- These problems have lasted for weeks
- And they occur for several different (unrelated) customers

Steinar Haug, AS2116

More information about the dns-operations mailing list