[dns-operations] Resolvers seeing repeated bursts of identical queries
Roy Arends
roy at dnss.ec
Mon Jan 9 13:55:29 UTC 2023
I’ve often seen this behaviour.
One confirmed explanation was (but there may be more/other) that this is the result of a stateful firewall. While the rules are pushed, traffic through it is buffereduntil the last rule is pushed, after which the buffer is flushed to world, resulting in a barrage of queries from the resolver behind the firewall. It depends on the resolver what happens with the ID. Some will re-issue the query after no response, some re-issue with new ID.
I never got confirmation of the firewall make. This was about 8 years ago.
Roy
> On 9 Jan 2023, at 08:50, sthaug at nethelp.no wrote:
>
> We are receiving a significant amount of query bursts on our resolvers
> with the following characteristics:
>
> - A client IP doing a burst of queries for the same name repeatedly,
> very quickly.
> - The query is typically an A query.
> - A burst often has 50 - 100 queries for the same name within a few
> milliseconds.
> - All the queries within one burst have the same DNS query ID (but
> different IP id and source port number).
> - The same client IP producing such bursts of identical queries also
> sends regular queries (one query per name, DNS query IDs vary).
>
> Example of (part of) query burst - in this case the client sends
> bursts of 84 queries within less than 1 ms:
>
> 09:24:56.593259 IP 194.19.79.131.58089 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
> 09:24:56.593283 IP 194.19.79.131.38426 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
> 09:24:56.593307 IP 194.19.79.131.56931 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
> 09:24:56.593346 IP 194.19.79.131.42976 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
> 09:24:56.593350 IP 194.19.79.131.11638 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
> 09:24:56.593366 IP 194.19.79.131.22476 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
> ...
> 09:24:56.594364 IP 194.19.79.131.41548 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
>
> followed by another burst of 84 queries in around 1.1 ms:
>
> 09:24:56.594416 IP 194.19.79.131.38426 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
> 09:24:56.594475 IP 194.19.79.131.42976 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
> 09:24:56.594501 IP 194.19.79.131.58089 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
> 09:24:56.594560 IP 194.19.79.131.14419 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
> 09:24:56.594561 IP 194.19.79.131.56931 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
> 09:24:56.594562 IP 194.19.79.131.18576 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
> ...
> 09:24:56.595596 IP 194.19.79.131.41232 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
>
> I *suspect* the bursts and the regular queries are actually produced
> by different clients on the inside of a firewall with NAT - but note I
> don't *know* this is the case.
>
> Does anybody know of software / applications that would produce such
> query bursts? Note that I don't believe the query bursts are caused by
> L2 loops or similar, because
>
> - These problems have lasted for weeks
> - And they occur for several different (unrelated) customers
>
> Steinar Haug, AS2116
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list