[80729] in North American Network Operators' Group
DNS requests and Bandwidth
daemon@ATHENA.MIT.EDU (aljuhani)
Wed May 11 12:33:53 2005
From: "aljuhani" <info@riyadmail.com>
To: <nanog@nanog.org>
Date: Wed, 11 May 2005 19:30:35 +0300
Errors-To: owner-nanog@merit.edu
This is a multi-part message in MIME format.
------=_NextPart_000_0012_01C5565F.E73F62E0
Content-Type: text/plain;
charset="windows-1256"
Content-Transfer-Encoding: quoted-printable
Hello List.
We have one domain setup on our server dns but there is no
website or email configured ..
Recently we've noticed some increase in server Bandwidth usage
and after using tcpdump, we were able to find the problem which
is a DNS server on the Internet sending many queries per second
to resolve MX , A records for that domain which is not existing of
course but it keeps asking.
One way was to block requests from that DNS IP but that was not
practicle as many users on that DNS won't be able to communicate
with our server.
so What is the best way to prevent DNS queries consuming bandwidth.
tcpdump output extract:
14:40:09.407336 212.26.72.85.34997 > ns.MyNameServer.net.domain: 51794 =
MX? MyDomain.com. (29)(DF)
14:40:09.411707 212.26.72.85.34997 > ns.MyNameServer.net.domain: 14233 =
A? MyDomain.com. (29) (DF)
14:40:09.415880 212.26.72.85.34997 > ns.MyNameServer.net.domain: 39317 =
MX? MyDomain.com. (29) (DF)
14:40:09.419827 212.26.72.85.34997 > ns.MyNameServer.net.domain: 49503 =
A? MyDomain.com. (29) (DF)
14:40:09.423700 212.26.72.85.34997 > ns.MyNameServer.net.domain: 29362 =
A? MyDomain.com. (29) (DF)
14:40:09.426963 212.26.72.85.34997 > ns.MyNameServer.net.domain: 16692 =
A? MyDomain.com. (29) (DF)
14:40:09.430590 212.26.72.85.34997 > ns.MyNameServer.net.domain: 65288 =
A? MyDomain.com. (29) (DF)
14:40:09.434350 212.26.72.85.34997 > ns.MyNameServer.net.domain: 1341 =
A? MyDomain.com. (29) (DF)
14:40:09.438163 212.26.72.85.34997 > ns.MyNameServer.net.domain: 57932 =
A? MyDomain.com. (29) (DF)
---
-aljuhani
------=_NextPart_000_0012_01C5565F.E73F62E0
Content-Type: text/html;
charset="windows-1256"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1256">
<META content=3D"MSHTML 6.00.2800.1491" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hello List.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>We have one domain setup on our =
server dns but=20
there is no</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>website or email configured =
..</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Recently we've noticed some =
increase=20
in server Bandwidth usage</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>and after using tcpdump, we were able =
to find the=20
problem which</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>is a DNS server on the Internet sending =
many=20
queries per second</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>to resolve MX , A records for that =
domain=20
which is not existing of</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>course but it keeps </FONT><FONT =
face=3DArial=20
size=3D2>asking.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>One way was to block requests from that =
DNS IP but=20
that was not</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>practicle as many users on that DNS =
won't be able=20
to communicate</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>with our server.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>so What is the best way to prevent DNS =
queries=20
consuming bandwidth.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>tcpdump output extract:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>14:40:09.407336 212.26.72.85.34997 > =
ns.MyNameServer.net.domain: 51794 MX? MyDomain.com.=20
(29)(DF)<BR>14:40:09.411707 212.26.72.85.34997 >=20
ns.MyNameServer.net.domain: 14233 A? MyDomain.com. (29)=20
(DF)<BR>14:40:09.415880 212.26.72.85.34997 >=20
ns.MyNameServer.net.domain: 39317 MX? MyDomain.com. (29)=20
(DF)<BR>14:40:09.419827 212.26.72.85.34997 >=20
ns.MyNameServer.net.domain: 49503 A? MyDomain.com. (29)=20
(DF)<BR>14:40:09.423700 212.26.72.85.34997 >=20
ns.MyNameServer.net.domain: 29362 A? MyDomain.com. (29)=20
(DF)<BR>14:40:09.426963 212.26.72.85.34997 >=20
ns.MyNameServer.net.domain: 16692 A? MyDomain.com. (29)=20
(DF)<BR>14:40:09.430590 212.26.72.85.34997 >=20
ns.MyNameServer.net.domain: 65288 A? MyDomain.com. (29)=20
(DF)<BR>14:40:09.434350 212.26.72.85.34997 >=20
ns.MyNameServer.net.domain: 1341 A? MyDomain.com. (29)=20
(DF)<BR>14:40:09.438163 212.26.72.85.34997 >=20
ns.MyNameServer.net.domain: 57932 A? MyDomain.com. (29) =
(DF)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>---</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>-aljuhani</FONT></DIV></BODY></HTML>
------=_NextPart_000_0012_01C5565F.E73F62E0--
