Michael, Do you have a packet sniff of the traffic? Possibly a sniff of at least 10000 packets? HMMM.. I have seen some increase at our Corp DNS, but not that much... drop me a note offlist with the sniff.. I would like to look at this..
Jim > -----Original Message----- > From: Support Team [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 26, 2003 4:01 PM > To: [EMAIL PROTECTED] > Subject: Odd DNS Traffic > > > > First I would like to note I am new to the list and group. > It's nice to > be here. > > Second, since Monday, March 24th at approx 1am we have been suffering > from "odd" DNS traffic to our two primary DNS servers. The > odd traffic > has increased our bandwidth utilization by about 20 Mbps, which is > obviously putting a hurting on our network and our DNS servers. > > I know this must also be affecting other networks, and if anything the > root servers. If anyone has any suggestions, etc, they would be much > appreciated. > > Thank you, > Michael Mannella > Support Team > Synergy Networks, Inc. > > Here are the symptoms: > ============================================ > > The odd traffic started with the root servers, namely > (a-m).gtld-servers.net . Most of the traffic is still coming > from them, > but other servers have also started sending us this odd traffic. > > We have 3 dns servers, only two are being affected, they are > our Primary > and Secondary servers that are listed with Network Solutions. > The third > server (that is not being affected) is not listed with NetSol > and has no > DNS records setup in it. It is strictly being used for lookups. > > The odd traffic is listed as a "DNS Spoof attempt" on our firewall. > > The odd traffic looks like this: > > Rcv 192.48.79.30 0cbb R Q [0084 A NOERROR] > (8)我的电话(3)COM(0) > UDP response info at 01ADC8BC > Socket = 380 > Remote addr 192.48.79.30, port 53 > Time Query=147367, Queued=0, Expire=0 > Buf length = 0x0200 (512) > Msg length = 0x010e (270) > Message: > XID 0x0cbb > Flags 0x8400 > QR 1 (response) > OPCODE 0 (QUERY) > AA 1 > TC 0 > RD 0 > RA 0 > Z 0 > RCODE 0 (NOERROR) > QCOUNT 0x1 > ACOUNT 0x1 > NSCOUNT 0xd > ARCOUNT 0x0 > Offset = 0x000c, RR count = 0 > Name "(8)我的电话(3)COM(0)" > QTYPE A (1) > QCLASS 1 > ANSWER SECTION: > Offset = 0x001e, RR count = 0 > Name "[C00C](8)我的电话(3)COM(0)" > TYPE A (1) > CLASS 1 > TTL 300 > DLEN 4 > DATA 198.41.1.35 > AUTHORITY SECTION: > Offset = 0x002e, RR count = 0 > Name "[C015](3)COM(0)" > TYPE NS (2) > CLASS 1 > TTL 172800 > DLEN 20 > DATA (1)g(12)gtld-servers(3)net(0) > Offset = 0x004e, RR count = 1 > Name "[C015](3)COM(0)" > TYPE NS (2) > CLASS 1 > TTL 172800 > DLEN 4 > DATA (1)h[C03C](12)gtld-servers(3)net(0) > Offset = 0x005e, RR count = 2 > Name "[C015](3)COM(0)" > TYPE NS (2) > CLASS 1 > TTL 172800 > DLEN 4 > DATA (1)d[C03C](12)gtld-servers(3)net(0) > Offset = 0x006e, RR count = 3 > Name "[C015](3)COM(0)" > TYPE NS (2) > CLASS 1 > TTL 172800 > DLEN 4 > DATA (1)j[C03C](12)gtld-servers(3)net(0) > Offset = 0x007e, RR count = 4 > Name "[C015](3)COM(0)" > TYPE NS (2) > CLASS 1 > TTL 172800 > DLEN 4 > DATA (1)i[C03C](12)gtld-servers(3)net(0) > Offset = 0x008e, RR count = 5 > Name "[C015](3)COM(0)" > TYPE NS (2) > CLASS 1 > TTL 172800 > DLEN 4 > DATA (1)l[C03C](12)gtld-servers(3)net(0) > Offset = 0x009e, RR count = 6 > Name "[C015](3)COM(0)" > TYPE NS (2) > CLASS 1 > TTL 172800 > DLEN 4 > DATA (1)b[C03C](12)gtld-servers(3)net(0) > Offset = 0x00ae, RR count = 7 > Name "[C015](3)COM(0)" > TYPE NS (2) > CLASS 1 > TTL 172800 > DLEN 4 > DATA (1)e[C03C](12)gtld-servers(3)net(0) > Offset = 0x00be, RR count = 8 > Name "[C015](3)COM(0)" > TYPE NS (2) > CLASS 1 > TTL 172800 > DLEN 4 > DATA (1)a[C03C](12)gtld-servers(3)net(0) > Offset = 0x00ce, RR count = 9 > Name "[C015](3)COM(0)" > TYPE NS (2) > CLASS 1 > TTL 172800 > DLEN 4 > DATA (1)k[C03C](12)gtld-servers(3)net(0) > Offset = 0x00de, RR count = 10 > Name "[C015](3)COM(0)" > TYPE NS (2) > CLASS 1 > TTL 172800 > DLEN 4 > DATA (1)f[C03C](12)gtld-servers(3)net(0) > Offset = 0x00ee, RR count = 11 > Name "[C015](3)COM(0)" > TYPE NS (2) > CLASS 1 > TTL 172800 > DLEN 4 > DATA (1)c[C03C](12)gtld-servers(3)net(0) > Offset = 0x00fe, RR count = 12 > Name "[C015](3)COM(0)" > TYPE NS (2) > CLASS 1 > TTL 172800 > DLEN 4 > DATA (1)m[C03C](12)gtld-servers(3)net(0) > ADDITIONAL SECTION: > > The DNS server encountered an invalid domain name in a packet from > 192.48.79.30. The packet is > rejected. > >