I’ve often seen this behaviour. One confirmed explanation was (but there may be more/other) that this is the result of a stateful firewall. While the rules are pushed, traffic through it is buffereduntil the last rule is pushed, after which the buffer is flushed to world, resulting in a barrage of queries from the resolver behind the firewall. It depends on the resolver what happens with the ID. Some will re-issue the query after no response, some re-issue with new ID.
I never got confirmation of the firewall make. This was about 8 years ago. Roy > On 9 Jan 2023, at 08:50, [email protected] wrote: > > We are receiving a significant amount of query bursts on our resolvers > with the following characteristics: > > - A client IP doing a burst of queries for the same name repeatedly, > very quickly. > - The query is typically an A query. > - A burst often has 50 - 100 queries for the same name within a few > milliseconds. > - All the queries within one burst have the same DNS query ID (but > different IP id and source port number). > - The same client IP producing such bursts of identical queries also > sends regular queries (one query per name, DNS query IDs vary). > > Example of (part of) query burst - in this case the client sends > bursts of 84 queries within less than 1 ms: > > 09:24:56.593259 IP 194.19.79.131.58089 > 193.75.75.193.53: 24781+ A? > www.jointraining.com. (38) > 09:24:56.593283 IP 194.19.79.131.38426 > 193.75.75.193.53: 24781+ A? > www.jointraining.com. (38) > 09:24:56.593307 IP 194.19.79.131.56931 > 193.75.75.193.53: 24781+ A? > www.jointraining.com. (38) > 09:24:56.593346 IP 194.19.79.131.42976 > 193.75.75.193.53: 24781+ A? > www.jointraining.com. (38) > 09:24:56.593350 IP 194.19.79.131.11638 > 193.75.75.193.53: 24781+ A? > www.jointraining.com. (38) > 09:24:56.593366 IP 194.19.79.131.22476 > 193.75.75.193.53: 24781+ A? > www.jointraining.com. (38) > ... > 09:24:56.594364 IP 194.19.79.131.41548 > 193.75.75.193.53: 24781+ A? > www.jointraining.com. (38) > > followed by another burst of 84 queries in around 1.1 ms: > > 09:24:56.594416 IP 194.19.79.131.38426 > 193.75.75.193.53: 28221+ A? > www.facebook.com. (34) > 09:24:56.594475 IP 194.19.79.131.42976 > 193.75.75.193.53: 28221+ A? > www.facebook.com. (34) > 09:24:56.594501 IP 194.19.79.131.58089 > 193.75.75.193.53: 28221+ A? > www.facebook.com. (34) > 09:24:56.594560 IP 194.19.79.131.14419 > 193.75.75.193.53: 28221+ A? > www.facebook.com. (34) > 09:24:56.594561 IP 194.19.79.131.56931 > 193.75.75.193.53: 28221+ A? > www.facebook.com. (34) > 09:24:56.594562 IP 194.19.79.131.18576 > 193.75.75.193.53: 28221+ A? > www.facebook.com. (34) > ... > 09:24:56.595596 IP 194.19.79.131.41232 > 193.75.75.193.53: 28221+ A? > www.facebook.com. (34) > > I *suspect* the bursts and the regular queries are actually produced > by different clients on the inside of a firewall with NAT - but note I > don't *know* this is the case. > > Does anybody know of software / applications that would produce such > query bursts? Note that I don't believe the query bursts are caused by > L2 loops or similar, because > > - These problems have lasted for weeks > - And they occur for several different (unrelated) customers > > Steinar Haug, AS2116 > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
