[dns-operations] Resolvers seeing repeated bursts of identical queries

Roy Arends roy at dnss.ec
Mon Jan 9 18:48:03 UTC 2023



> On 9 Jan 2023, at 15:22, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> On Mon, Jan 09, 2023 at 01:55:29PM +0000, Roy Arends wrote:
> 
>> I’ve often seen this behaviour.
>> 
>> One confirmed explanation was (but there may be more/other) that this
>> is the result of a stateful firewall. While the rules are pushed,
>> traffic through it is buffereduntil the last rule is pushed, after
>> which the buffer is flushed to world, resulting in a barrage of
>> queries from the resolver behind the firewall. It depends on the
>> resolver what happens with the ID. Some will re-issue the query after
>> no response, some re-issue with new ID. 
> 
> The repetition of the same DNS query ID and exclusively the same qname
> somewhat argues against the firewall theory, because ~100 instances of
> just retransmissions of the same query from a resolver seems unlikely,
> especially within the time it takes a firewall to reload its ruleset.

This was a confirmed case (the bulk same q-id q-name q-type src-addr thing stood out). Repeatable. It may not be the only explanation, though, but it is not theory.

It took a few seconds for the specific firewall to reload rules (Checkpoint was the fw in question iirc).

The resolver box would receive a dst host/net unreachable from the FW box, which was about 5 ms away, which resulted in the resolver box re-sending the exact same query, and this looped a bit. The FW would buffer the request and upon the “allow 53 UDP” rule loading, a burst of buffered queries were send (partly towards our DNS servers).

I have no access to the specific details, as I’ve left Nominet. However, colleagues posted a few of similar stories about spammy DNS related behaviour at the time. 

ymmv

Roy



More information about the dns-operations mailing list