Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Jan 2006 22:24:27 -0500
From:      "Matt Emmerton" <matt@gsicomp.on.ca>
To:        "Steve Suhre" <cheesiest@nano.net>, <freebsd-hackers@freebsd.org>
Subject:   Re: Named requests filling up T1
Message-ID:  <015901c61b15$898648a0$1200a8c0@gsicomp.on.ca>
References:  <43CC59E7.6080505@nano.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

> Ugh...it's always something....
>
> The T1 here is getting blasted by named requests, any suggestions would
> be appreciated... I turned on debugging and got the following, lots of
> them...so many that we're getting 30-50% packet loss across the T1:
>
> 16-Jan-2006 18:01:35.795 client @0x87d4800: udprecv
> 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: UDP request
> 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: using view '_default'
> 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: request is not signed
> 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: recursion available
> 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: query
> 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: query (cache)
> 'v.tn.co.za/ANY/IN' approved
> 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: send
> 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: sendto
> 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: senddone
> 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: next
> 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: endrequest
>
> Any suggestion on what it might be and how I might stop it?

Looks like someone is spamming your DNS server with queries.

Two questions:
1) Is v.tn.co.za a domain that you are authorative for?
2) Are you an ISP and/or is client 64.18.133.103 authorized to use your DNS
server?

If the answer to 1) is NO, then there's no reason for these queries to be
directed to your DNS server from the Internet.
If the answer to 2) is NO, then there's no reason for these queries to be
directed to your DNS server from the Internet.

Source IP filtering is likely your best option, although it doesn't help
with your T1 saturation, although it would give whoever is blasting these
queries a clue.

--
Matt Emmerton

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?015901c61b15$898648a0$1200a8c0>