Re: Same source port queries dropped by ServerIron load balancer
The tool queryperf is a useful tool and it gives you details about a DNS server performance. However, it would be useful to have an option in queryperf to use random source ports to test real life scenarios. -- Abdulla Ahmad Bushlaibi On 3/31/2010 12:07 AM, Kevin Darcy wrote: On 3/30/2010 8:00 AM, Tony Finch wrote: On Tue, 30 Mar 2010, Abdulla Bushlaibi wrote: We are facing query drops by using dnsperf tool from ISC testing the DNS service via load balancer. Multiple queries from the same source port are being dropped partially by the load balancer and as per the load balancer vendor feed back, this is a security feature and this situation doesn't happen in real life scenarios. High performance stub resolvers like adns use the same UDP port for many queries. Thus reducing entropy and commensurately increasing the chance of accepting a spoofed response as genuine. I think the load-balancer vendor has the right default here, and adns should re-think their methodology. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Strange domains requested
Recently we are seeing strange domains being requested on the caching name servers we are running, sometimes the clients who are requesting these domains are sending more than one thousand request per second and sometimes it's alot lower than that (maybe 30 or 50 or 100 requests per second), examples of the log records are as below 29-Mar-2010 14:18:57.645 client X.X.X.X#53: query: \144\198x IN A + 29-Mar-2010 14:18:57.649 client X.X.X.X#53: query: \144\198x IN A + 29-Mar-2010 14:18:57.649 client X.X.X.X#53: query: \144\198x IN A + 29-Mar-2010 14:18:57.651 client X.X.X.X#53: query: \144\198x IN A + 30-Mar-2010 11:34:36.099 client Y.Y.Y.Y#3074: query: powecs1234.51vip.biz IN A + 30-Mar-2010 11:34:37.305 client Y.Y.Y.Y#3074: query: \019 IN A + 30-Mar-2010 11:34:44.419 client Y.Y.Y.Y#3074: query: \019 IN A + 30-Mar-2010 11:34:50.437 client Y.Y.Y.Y#3074: query: \019 IN A + 30-Mar-2010 11:36:02.096 client Z.Z.Z.Z#53: query: acegaceg.vicp.cc IN A + 30-Mar-2010 11:36:02.100 client Z.Z.Z.Z#53: query: \012\194x IN A + 30-Mar-2010 11:36:02.104 client Z.Z.Z.Z#53: query: \012\194x IN A + 30-Mar-2010 11:36:02.108 client Z.Z.Z.Z#53: query: \012\194x IN A + Most of the time the client's source port is 53 which is mostly used as a source port for DNS servers to reply to the client's queries, so I am suspecting it might be a virus of some sort. I did a google search for the mentioned domains but with no luck. Does anyone have any idea what would cause such request floods or have faced similar issues? -- Abdulla Ahmad Bushlaibi ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users