[45211] in North American Network Operators' Group
RE: DNS DOS increasing?
daemon@ATHENA.MIT.EDU (James Smith)
Tue Jan 22 13:12:05 2002
Message-ID: <171DAAD54475984F8F41345A0945DF9C39ED5B@hqexchange.presidio.com>
From: James Smith <jsmith@PRESIDIO.com>
To: nanog@merit.edu
Date: Tue, 22 Jan 2002 13:11:23 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C1A370.3338CBBF"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C1A370.3338CBBF
Content-Type: text/plain
-----Original Message-----
From: E.B. Dreger [mailto:eddy+public+spam@noc.everquick.net]
Sent: Tuesday, January 22, 2002 12:51 AM
To: just me
Cc: Miquel van Smoorenburg; nanog@merit.edu
Subject: Re: DNS DOS increasing?
That's not the problem. It's ill-behaved clients that ignore TTL
and query every 10s no matter what. See some of James Smith's
posts...
-----
Methinks I have been misunderstood or I have obfuscated my own point... The
dns server is set to give a 10 second TTL to the dns client. The entry ages
out in 10 seconds, so the client (following expected practice) ages the
entry out. 15 seconds later, when they click on the next button on the web
page (for example), they have to go get the IP again. This the DOS (DDOS?)
like behavior.
Sure the dns client is hammering the dns server, but the server is telling
it to by giving out an absurdly short TTL... The server is ASKING FOR IT by
setting it's TTL to 10 seconds. The client can't help it, it is just doing
what it has been told.
Why It Does It This Way
The mechanism this dns server uses for selecting which IP to respond with is
a ping to check upstream connectivity. This box pings constantly, looking
for a fail. When link failure is detected, the box starts feeding DNS
queries with responses from the other links subnet. The short ttl ensures
that dns clients age out the info fast enough to make a near seamless
failover to the other link.
Since the box is authoritative for the zone, and has interfaces in more than
one subnet or provider, the failure of one link means that the normal dns
mechanism of going to the next responsive dns server points users to the
remaining good link, and the box obliges by serving out responses that point
the client back down the good link.
James H. Smith II NNCDS NNCSE
Systems Engineer
The Presidio Corporation
I speak for myself, and that gets me into enough trouble.
(back to lurk mode...)
------_=_NextPart_001_01C1A370.3338CBBF
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>RE: DNS DOS increasing?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: E.B. Dreger [<A =
HREF=3D"mailto:eddy+public+spam@noc.everquick.net">mailto:eddy+public+sp=
am@noc.everquick.net</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Tuesday, January 22, 2002 12:51 AM</FONT>
<BR><FONT SIZE=3D2>To: just me</FONT>
<BR><FONT SIZE=3D2>Cc: Miquel van Smoorenburg; nanog@merit.edu</FONT>
<BR><FONT SIZE=3D2>Subject: Re: DNS DOS increasing?</FONT>
</P>
<P><FONT SIZE=3D2>That's not the problem. It's ill-behaved =
clients that ignore TTL</FONT>
<BR><FONT SIZE=3D2>and query every 10s no matter what. See some =
of James Smith's</FONT>
<BR><FONT SIZE=3D2>posts...</FONT>
<BR><FONT SIZE=3D2>-----</FONT>
</P>
<P><FONT SIZE=3D2>Methinks I have been misunderstood or I have =
obfuscated my own point... The dns server is set to give a 10 second =
TTL to the dns client. The entry ages out in 10 seconds, so the client =
(following expected practice) ages the entry out. 15 seconds later, =
when they click on the next button on the web page (for example), they =
have to go get the IP again. This the DOS (DDOS?) like =
behavior.</FONT></P>
<P><FONT SIZE=3D2>Sure the dns client is hammering the dns server, but =
the server is telling it to by giving out an absurdly short TTL... The =
server is ASKING FOR IT by setting it's TTL to 10 seconds. The client =
can't help it, it is just doing what it has been told.</FONT></P>
<P><FONT SIZE=3D2>Why It Does It This Way</FONT>
<BR><FONT SIZE=3D2>The mechanism this dns server uses for selecting =
which IP to respond with is a ping to check upstream connectivity. This =
box pings constantly, looking for a fail. When link failure is =
detected, the box starts feeding DNS queries with responses from the =
other links subnet. The short ttl ensures that dns clients age out the =
info fast enough to make a near seamless failover to the other link. =
</FONT></P>
<P><FONT SIZE=3D2>Since the box is authoritative for the zone, and has =
interfaces in more than one subnet or provider, the failure of one link =
means that the normal dns mechanism of going to the next responsive dns =
server points users to the remaining good link, and the box obliges by =
serving out responses that point the client back down the good =
link.</FONT></P>
<P><FONT SIZE=3D2>James H. Smith II NNCDS NNCSE</FONT>
<BR><FONT SIZE=3D2>Systems Engineer</FONT>
<BR><FONT SIZE=3D2>The Presidio Corporation</FONT>
</P>
<P><FONT SIZE=3D2>I speak for myself, and that gets me into enough =
trouble.</FONT>
<BR><FONT SIZE=3D2>(back to lurk mode...)</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C1A370.3338CBBF--
