DNS requests and Bandwidth
Hello List. Wehave one domain setup on our server dns but there is no website or email configured .. Recently we've noticedsome increase inserver Bandwidth usage and after using tcpdump, we were able to find the problem which is a DNS server on the Internet sending many queries per second to resolve MX , A records for that domain whichis not existing of course but it keeps asking. One way was to block requests from that DNS IP but that was not practicle as many users on that DNS won't be able to communicate with our server. so What is the best way to prevent DNS queries consuming bandwidth. tcpdump output extract: 14:40:09.407336 212.26.72.85.34997 ns.MyNameServer.net.domain: 51794 MX? MyDomain.com. (29)(DF)14:40:09.411707 212.26.72.85.34997 ns.MyNameServer.net.domain: 14233 A? MyDomain.com. (29) (DF)14:40:09.415880 212.26.72.85.34997 ns.MyNameServer.net.domain: 39317 MX? MyDomain.com. (29) (DF)14:40:09.419827 212.26.72.85.34997 ns.MyNameServer.net.domain: 49503 A? MyDomain.com. (29) (DF)14:40:09.423700 212.26.72.85.34997 ns.MyNameServer.net.domain: 29362 A? MyDomain.com. (29) (DF)14:40:09.426963 212.26.72.85.34997 ns.MyNameServer.net.domain: 16692 A? MyDomain.com. (29) (DF)14:40:09.430590 212.26.72.85.34997 ns.MyNameServer.net.domain: 65288 A? MyDomain.com. (29) (DF)14:40:09.434350 212.26.72.85.34997 ns.MyNameServer.net.domain: 1341 A? MyDomain.com. (29) (DF)14:40:09.438163 212.26.72.85.34997 ns.MyNameServer.net.domain: 57932 A? MyDomain.com. (29) (DF) --- -aljuhani
Re: DNS requests and Bandwidth
On Wed, May 11, 2005 at 20:33, Will Yardley wrote: If your domains aren't mynameserver.net or mydomain.com, perhaps you'd get a more helpful response by including the actual hostnames / domains in question? You don't gain much by stripping this information, and it's much easier for people to figure out what might be going on if you include the actual domain(s). I'm assuming that if you're running a publicly accessible nameserver which is serving names for these domains, it's probably not sooper sekrit information. Also, if you MUST use a bogus domain, at least use a bogus domain reserved for that purpose (like example.com) or something ending in .invalid. First. thanks all for the prompt responses to my message. Second. The incident actually started late 2003 and the magnitude of DNS requests peaked our bandwidth usage to 170 GB which was a huge increase when compared to normal average bandwidth. Why it happened? There was a worm that is still crawling around the internet that sends mega emails to [EMAIL PROTECTED] ; usually [EMAIL PROTECTED], [EMAIL PROTECTED], and many others. During 2004 the worm was still there but then it died down but now it is up again ... so what I think is that those IPs attacking our DNS server are actually PCs infected by that worm .. It ends up as a DoS type attack as thousands of PCs around the world requesting DNS records from our nameservers. Now I changed the DNS server to a dynamic DNS provider, and I am pointing the MX record to my home server sitting on a DSL connection which does not annoy much bandwidth wise and I've started creating SMTP rules that blocks every address except [EMAIL PROTECTED] and [EMAIL PROTECTED] .. If you want to see the magnitude of attacks you can search google for mxserver.com: http://groups-beta.google.com/groups?q=%22mxserver.com%22hl=enlr=sa=Ntab =wg once again thanks all for your help. -aljuhani
Re: Google DNS problems?!?
Hank Nussbacher wrote, I really like Google. I like what they do. But lately, their security team is a joke. I had a problem with their POP Gmail service and the advise I got from their Gmail team was to turn off my CA EZ antivirus and my ZApro firewall and to try again and see if the problem repeats itself. For a moment I thought it was an April 1st joke. When playing with Gmail or Ggroups - try to find a link to report abuse or a security problem (yes - one exists - but not one that is easy to find from Gmail or Ggroups). I attribute it to size - when one gets big enough - one truly believes that gravity is affected by your company. Unless Google shapes up, they will quickly find out what happens to large, cumbersome, and clueless companies. Well I am not a DNS expert but why Google have the primary gmail MX record without load balancing and all secondaries are sharing the same priority level. I have a server that relay usenet messages to my gmail account and here is a week worth of stats showing how google mail servers are handling incoming mails: Total Number of messages sent to gmail: 1945 messages of which: 1888 (97%) messages were gated through Gmail's Primary mail server (gmail-smtp-in.l.google.com). 21 messages were gated through Gmails Secondary (gsmtp171.google.com) 13 messages were gated through Gmail's Secondary (gsmtp171-2.google.com) 10 messages were gated through Gmail's Secondary (gsmtp185-2.google.com). So in short, 97% of the email was delivered through the primary while the secondaries only served 3%. My question why they do not make all mail servers at the same priority level instead of current which load balance the Secondaries only. BTW mx records for google gmail are: MX 5 gmail-smtp-in.l.google.com. MX 10 gsmtp171.google.com. MX 10 gsmtp185.google.com. MX 10 gsmtp171-2.google.com. MX 10 gsmtp185-2.google.com. MX 20 gsmtp57.google.com. each have 1 minute TTL. -aljuhani
Re: Google DNS problems?!?
On 8 May 2005, at 21:13, Andy Davidson wrote: gmail-smtp-in.l.google.com is at least two machines, but much more likely to be at least two clusters of machines ... : ;; ANSWER SECTION: gmail-smtp-in.l.google.com. 232 IN A 64.233.185.27 gmail-smtp-in.l.google.com. 232 IN A 64.233.185.114 .. load-balanced in some way. One MX record doesn't mean one machine and no load-balancing by any means. Yes you are right .. perhaps I did not put my point right when I mentioned load balancing, I was trying to see the affect of DNS outage on Gmail Services. -aljuhani
Re: Internet email performance study
- Original Message - From: Robert Beverly [EMAIL PROTECTED] To: nanog@merit.edu Cc: [EMAIL PROTECTED] Sent: Thursday, April 28, 2005 22:21 Subject: Internet email performance study Hi, (we previously posted this on the e2e mail list; apologies if you are reading it for the second time) We're looking for operational-types lurking on the list with experience running large mail servers. In particular, we have collected a large amount of data as part of an Internet email performance study that we cannot entirely explain. If you can help us or are simply curious about our findings, we'd love to hear from you. WHAT WE DID: Briefly, we used SMTP bounce-backs as the basis of an email active measurement survey. Using random addresses as unique identifiers, we measure latency, loss, paths, etc. to a large set of Internet MTAs. Approximately 1/3 of all servers we surveyed respond with bounce-backs. We've found some interesting results. For example latencies of days (30 days in once instance). WHAT WE DON'T UNDERSTAND: Most servers behave as we expect, either always replying with bounce-backs or never replying. However, some exhibit odd and seemingly non-deterministic behavior. For example, a server will respond to all emails for weeks, and then reply to only a fraction (e.g., 25-75%) of the emails in a seemingly random pattern for some period of time (e.g, 4 hours). Further, we often see these patterns correlated within a domain (e.g., a subset of the MTAs will enter and exist this loss mode at the same time). We are fairly certain that the loss is an artifact of the MTA behavior or local administration. While we can guess reasons this might occur, we have yet to find an administrator who can explain this behavior with an architecture used in practice. Well it could be many reasons for that depending on how you probe SMTPs. Some sysadmins block IP addresses that seem to be a spammer trying some addresses to send spam to; spammers try always to find a catch-all mail to flood with messages addressed to [EMAIL PROTECTED] . Another possiblity is that the domains you are monitoring are on dynamic IP addresses that changes all the time and the gap when they become non-responsive could be due to delay in updating the DNS roots with new IP address. Also could be a non-dedicated mail servers, meaning that server is used for web and DNS and when overloaded try to shed some load out and usually the first service to disable is SMTP. Or that domain does have a lower priority mail server which happens to be down for maintenance but your DNS server is caching the data (IP address) of that mail server which should not happen as it has to retry the other MX record but remain a possiblity. I have not yet looked at the details on your URL but there are number of things to consider when doing such survey. 1. Where is your monitoring server located in relation to the being monitored servers / domains. You need to establish a datum for how far is that server or domain using PING to see how long the packet takes on round-trip just to role out the fact of networking / routing issues that may interfer into the results which you need for the respones of MTAs. 2. Study that domain using Dig to find MX records and DNS servers and if there are back up DNS somewhere near your network. 3. Of course as indicated above, you need to find out if the IP of that domain is static or dynamic. 4. Also, you need to monitor the load on your own server and DNS responses. What I'd suggest is to use MRTG to monitor the round-trip time using PING on the servers being monitored so you have real live data that helps in establishing your final findings. Also not to forget that some MTAs users have thier SMTP with a filter to reject SMTP traffic that is not behaving as normal with SMTP Greeting. If you need any further information or some logs, please send me an email to [EMAIL PROTECTED] More details on the project including our exact methodology, plausible explanations for the loss and a FAQ are available on our web site: http://ana.lcs.mit.edu/emailtester Thanks! Rob Beverly / Mike Afergan aljuhani
Re: Internet email performance study
On Thu, Apr 28, 2005 at 23:42, Robert Beverly [EMAIL PROTECTED] ..snip Yes, our SMTP greetings are valid and up to spec. Again, it's the non-deterministic loss that we're most concerned about. If there were a problem with the SMTP exchange, we would see our emails always rejected (for instance). Our measurement study only includes emails that were successfully delivered (indicated by a complete series of successful status codes returned during SMTP exchange). Many thanks, rob Hi, Perhaps this explains it. http://www.albury.net.au/netstatus/derouted.html BTW your subnet (18.0.0.0/8) is listed there as well. Regards, aljuhani
Fw: Internet email performance study
Hi. Sorry there was a mistake in my previous post the subnet listed is 218.0.0.0/8 is not yours. thanks aljuhani - Original Message - From: aljuhani [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 29, 2005 00:53 Subject: Re: Internet email performance study On Thu, Apr 28, 2005 at 23:42, Robert Beverly [EMAIL PROTECTED] ..snip Yes, our SMTP greetings are valid and up to spec. Again, it's the non-deterministic loss that we're most concerned about. If there were a problem with the SMTP exchange, we would see our emails always rejected (for instance). Our measurement study only includes emails that were successfully delivered (indicated by a complete series of successful status codes returned during SMTP exchange). Many thanks, rob Hi, Perhaps this explains it. http://www.albury.net.au/netstatus/derouted.html BTW your subnet (18.0.0.0/8) is listed there as well. Regards, aljuhani
Re: Problems with NS*.worldnic.com
- Original Message - From: Randy Bush [EMAIL PROTECTED] To: Christopher L. Morrow [EMAIL PROTECTED] Cc: nanog@merit.edu Sent: Tuesday, April 26, 2005 16:35 Subject: Re: Problems with NS*.worldnic.com lots of folk sent email to me and not the list. most report worldnic responding with tcp 53 and not udp. would love to hear confirmation on list. can think of a number of causes, one possible, but just a stab in the dark, would be an intentional hack as a defense to a spoofed-ip attack. That is a bind issue when receiving empty response from worldnic ns on udp queries, it asks again on tcp which is very slow. more here: http://isc.sans.org/diary.php?date=2005-04-22 what are some names known to be hosted on worldnic? randy aljuhani
Re: Problems with NS*.worldnic.com
We have few servers with Interland / Miami. Today for around 1 hour 15 minutes the dns / tcp traffic was timing out. Httpd was very slow for domains with backup dns servers in Europe but other domains with DNS within Interland only was not resolving at all. I only noticed that traffic was not going through from here, Saudi Arabia but it appeared to be resolving okay from United States. I do not know if this is related to worldnic dns problem, but I think Interland is outsourcing DNS from Verisign. [EMAIL PROTECTED] - Original Message - From: Greg Schwimer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 25, 2005 21:34 Subject: Problems with NS*.worldnic.com I saw some mention of this in a previous thread. Is anyone else still experiencing problems? We're seeing general slowness and the use of the truncate bit in responses, forcing to TCP mode.
