DNS requests and Bandwidth

aljuhani1 · May 11, 2005, 4:30pm

Hello List.

We have one domain setup on our server dns but there is no
website or email configured …

Recently we’ve noticed some increase in server Bandwidth usage
and after using tcpdump, we were able to find the problem which
is a DNS server on the Internet sending many queries per second
to resolve MX , A records for that domain which is not existing of
course but it keeps asking.

One way was to block requests from that DNS IP but that was not
practicle as many users on that DNS won’t be able to communicate
with our server.

so What is the best way to prevent DNS queries consuming bandwidth.

tcpdump output extract:

14:40:09.407336 212.26.72.85.34997 > ns.MyNameServer.net.domain: 51794 MX? MyDomain.com. (29)(DF)
14:40:09.411707 212.26.72.85.34997 > ns.MyNameServer.net.domain: 14233 A? MyDomain.com. (29) (DF)
14:40:09.415880 212.26.72.85.34997 > ns.MyNameServer.net.domain: 39317 MX? MyDomain.com. (29) (DF)
14:40:09.419827 212.26.72.85.34997 > ns.MyNameServer.net.domain: 49503 A? MyDomain.com. (29) (DF)
14:40:09.423700 212.26.72.85.34997 > ns.MyNameServer.net.domain: 29362 A? MyDomain.com. (29) (DF)
14:40:09.426963 212.26.72.85.34997 > ns.MyNameServer.net.domain: 16692 A? MyDomain.com. (29) (DF)
14:40:09.430590 212.26.72.85.34997 > ns.MyNameServer.net.domain: 65288 A? MyDomain.com. (29) (DF)
14:40:09.434350 212.26.72.85.34997 > ns.MyNameServer.net.domain: 1341 A? MyDomain.com. (29) (DF)
14:40:09.438163 212.26.72.85.34997 > ns.MyNameServer.net.domain: 57932 A? MyDomain.com. (29) (DF)

Gadi_Evron1 · May 11, 2005, 3:50pm

aljuhani wrote:

Hello List.

We have one domain setup on our server dns but there is no
website or email configured ..

Recently we've noticed some increase in server Bandwidth usage
and after using tcpdump, we were able to find the problem which
is a DNS server on the Internet sending many queries per second
to resolve MX , A records for that domain which is not existing of
course but it keeps asking.

One way was to block requests from that DNS IP but that was not
practicle as many users on that DNS won't be able to communicate
with our server.

so What is the best way to prevent DNS queries consuming bandwidth.

tcpdump output extract:

14:40:09.407336 212.26.72.85.34997 > ns.MyNameServer.net.domain: 51794 MX? MyDomain.com. (29)(DF)
14:40:09.411707 212.26.72.85.34997 > ns.MyNameServer.net.domain: 14233 A? MyDomain.com. (29) (DF)
14:40:09.415880 212.26.72.85.34997 > ns.MyNameServer.net.domain: 39317 MX? MyDomain.com. (29) (DF)
14:40:09.419827 212.26.72.85.34997 > ns.MyNameServer.net.domain: 49503 A? MyDomain.com. (29) (DF)
14:40:09.423700 212.26.72.85.34997 > ns.MyNameServer.net.domain: 29362 A? MyDomain.com. (29) (DF)
14:40:09.426963 212.26.72.85.34997 > ns.MyNameServer.net.domain: 16692 A? MyDomain.com. (29) (DF)
14:40:09.430590 212.26.72.85.34997 > ns.MyNameServer.net.domain: 65288 A? MyDomain.com. (29) (DF)
14:40:09.434350 212.26.72.85.34997 > ns.MyNameServer.net.domain: 1341 A? MyDomain.com. (29) (DF)
14:40:09.438163 212.26.72.85.34997 > ns.MyNameServer.net.domain: 57932 A? MyDomain.com. (29) (DF)

As happy as I'd be to go and yell DoS!! (I love that word)... there are
other possibilities here.

As an example, it is more than possible someone is trying to send mail
to you, and that their server is broke so that it keeps re-trying
forever in a DoS fashion (give me a buck for every time that happened to
me...).

Are you announcing this domain anywhere else?

The A records are a bit more difficult to explain (but it's certainly
possible), but I do ask you this.. if it's just one server.. did you try
contacting them? That's probably a lot easier than any other course of
action you can follow-up with. It could be a simple matter of a
misconfiguration.

You could also be a secondary victim of someone else's attack.. but if
it's just one server.. try getting them on the horn.. then their uplink,
and then just add them to your ACL.. sometimes there are no other options.

Does this bandwidth consumption bother you, though? Or is this just out
of curiosity?

Gadi.

Will_Yardley · May 11, 2005, 5:33pm

Recently we've noticed some increase in server Bandwidth usage
and after using tcpdump, we were able to find the problem which
is a DNS server on the Internet sending many queries per second
to resolve MX , A records for that domain which is not existing of
course but it keeps asking.

One way was to block requests from that DNS IP but that was not
practicle as many users on that DNS won't be able to communicate with
our server.

so What is the best way to prevent DNS queries consuming bandwidth.

Stop running a DNS server?

All joking aside, I've seen similar problems in cases where there's a
lame delegation (with certain clients asking over and over for the same
records).

If "mydomain.com" is a domain which is pointed to your nameserver from
the authoritative servers for that TLD, but which your nameserver is not
authoritative for, you may want to setup a dummy zone.

tcpdump output extract:

14:40:09.407336 212.26.72.85.34997 > ns.MyNameServer.net.domain: 51794 MX? MyDomain.com. (29)(DF)
14:40:09.411707 212.26.72.85.34997 > ns.MyNameServer.net.domain: 14233 A? MyDomain.com. (29) (DF)

If your domains aren't "mynameserver.net" or "mydomain.com", perhaps
you'd get a more helpful response by including the actual hostnames /
domains in question? You don't gain much by stripping this information,
and it's much easier for people to figure out what might be going on if
you include the actual domain(s). I'm assuming that if you're running a
publicly accessible nameserver which is serving names for these domains,
it's probably not sooper sekrit information.

Also, if you MUST use a bogus domain, at least use a bogus domain
reserved for that purpose (like example.com) or something ending in
".invalid".

w

Steve_Sobol · May 11, 2005, 6:01pm

The one time this happened to a DNS server for which I was responsible, it
was a misconfigured Windows 2000 server with Active Directory installed.

"myNameServer.net" is a generic enough domain name that someone might have
used it as an example in a HOWTO document on setting up AD.

(just a thought, FWIW)

aljuhani1 · May 11, 2005, 6:06pm

First. thanks all for the prompt responses to my message.

Second. The incident actually started late 2003 and the magnitude of
DNS requests peaked our bandwidth usage to 170 GB which was
a huge increase when compared to normal average bandwidth.

Why it happened? There was a worm that is still crawling around the
internet that sends mega emails to anyuser@mxserver.com ; usually
user@mxserver.com, recipient@mxserver.com, and many others.

During 2004 the worm was still there but then it died down but
now it is up again ... so what I think is that those IPs attacking our
DNS server are actually PCs infected by that worm .. It ends up as a
DoS type attack as thousands of PCs around the world requesting DNS records
from our nameservers.

Now I changed the DNS server to a dynamic DNS provider, and I am pointing
the MX record to my home server sitting on a DSL connection which does
not annoy much bandwidth wise and I've started creating SMTP rules that
blocks
every address except webmaster@mxserver.com and info@mxserver.com ..

If you want to see the magnitude of attacks you can search google for
mxserver.com:

http://groups-beta.google.com/groups?q="mxserver.com"&hl=en&lr=&sa=N&tab
=wg

once again thanks all for your help.

-aljuhani