Hi,
My nohats.ca domain has been under a couple of weeks long ANY attack. I assume spoofed IPs querying open resolvers that in have their upstream DNS send me queries. The vast majority of queries are coming from Google's many IP addresses. While I understand it must be an impressive ANYCAST network, I am still surprised to see millions of queries coming for data that has a TTL=1d It is as if Google is hardly caching anything..... The top 30 queries in the last two weeks, based on logging at most 1q/s: 187695 74.125.181.87 187704 74.125.74.84 188406 74.125.181.80 188694 74.125.181.83 191138 74.125.181.86 191305 74.125.17.208 191528 74.125.17.209 191619 74.125.17.212 191856 74.125.17.211 192015 74.125.17.210 198712 2a01:04f8:0000:a102:0000:0000:0add:9999 207683 188.40.24.98 231083 116.9.94.68 235729 212.75.210.82 252895 211.40.17.226 299526 2a01:04f8:0000:a0a1:0000:0000:0add:1010 308938 78.47.119.230 309720 109.86.0.212 354336 188.40.25.2 357881 2a01:04f8:0000:a111:0000:0000:0add:9898 450885 74.125.73.21 451278 74.125.73.22 451716 74.125.73.23 472529 74.125.73.18 472915 74.125.73.17 473267 74.125.73.19 474699 74.125.73.20 475056 74.125.73.16 690838 213.142.46.116 872689 213.142.46.115 It seems that the nsd ratelimits to send TC=1 isn't working well either to reduce the incoming amount of UDP queries. Why does google dns seems so inefficient at caching? Paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
