[dns-operations] Resolvers seeing repeated bursts of identical queries

[Viktor Dukhovni]

On Mon, Jan 09, 2023 at 01:55:29PM +0000, Roy Arends wrote:

> I’ve often seen this behaviour.
> 
> One confirmed explanation was (but there may be more/other) that this
> is the result of a stateful firewall. While the rules are pushed,
> traffic through it is buffereduntil the last rule is pushed, after
> which the buffer is flushed to world, resulting in a barrage of
> queries from the resolver behind the firewall. It depends on the
> resolver what happens with the ID. Some will re-issue the query after
> no response, some re-issue with new ID. 

The repetition of the same DNS query ID and exclusively the same qname
somewhat argues against the firewall theory, because ~100 instances of
just retransmissions of the same query from a resolver seems unlikely,
especially within the time it takes a firewall to reload its ruleset.

Wild speculation: If not some sort of DoS attack, perhaps a stub
resolver or application bug or configuration issue?  For example, some
APIs have timeouts in μs rather than seconds, maybe some code is setting
exceedingly short lookup timeouts?  Still the retry *count* is rather
high.

> > - A burst often has 50 - 100 queries for the same name within a few
> > milliseconds.
> > - All the queries within one burst have the same DNS query ID (but
> > different IP id and source port number).
> > - The same client IP producing such bursts of identical queries also
> > sends regular queries (one query per name, DNS query IDs vary).

Multiple systems behind a shared NAT, just one of them is the problem
system?

-- 
    Viktor.