From owner-freebsd-hackers@FreeBSD.ORG Tue Jan 17 03:23:38 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86D5616A423 for ; Tue, 17 Jan 2006 03:23:38 +0000 (GMT) (envelope-from matt@gsicomp.on.ca) Received: from skippyii.compar.com (ns1.compar.com [216.208.38.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 082F343D5C for ; Tue, 17 Jan 2006 03:23:36 +0000 (GMT) (envelope-from matt@gsicomp.on.ca) Received: from hermes (CPE00062566c7bb-CM0011e6ede298.cpe.net.cable.rogers.com [70.28.254.189]) by skippyii.compar.com (8.13.1/8.13.1) with ESMTP id k0H3Pone091317; Mon, 16 Jan 2006 22:25:55 -0500 (EST) (envelope-from matt@gsicomp.on.ca) Message-ID: <015901c61b15$898648a0$1200a8c0@gsicomp.on.ca> From: "Matt Emmerton" To: "Steve Suhre" , References: <43CC59E7.6080505@nano.net> Date: Mon, 16 Jan 2006 22:24:27 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Cc: Subject: Re: Named requests filling up T1 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2006 03:23:38 -0000 > Ugh...it's always something.... > > The T1 here is getting blasted by named requests, any suggestions would > be appreciated... I turned on debugging and got the following, lots of > them...so many that we're getting 30-50% packet loss across the T1: > > 16-Jan-2006 18:01:35.795 client @0x87d4800: udprecv > 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: UDP request > 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: using view '_default' > 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: request is not signed > 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: recursion available > 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: query > 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: query (cache) > 'v.tn.co.za/ANY/IN' approved > 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: send > 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: sendto > 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: senddone > 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: next > 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: endrequest > > Any suggestion on what it might be and how I might stop it? Looks like someone is spamming your DNS server with queries. Two questions: 1) Is v.tn.co.za a domain that you are authorative for? 2) Are you an ISP and/or is client 64.18.133.103 authorized to use your DNS server? If the answer to 1) is NO, then there's no reason for these queries to be directed to your DNS server from the Internet. If the answer to 2) is NO, then there's no reason for these queries to be directed to your DNS server from the Internet. Source IP filtering is likely your best option, although it doesn't help with your T1 saturation, although it would give whoever is blasting these queries a clue. -- Matt Emmerton