North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Question about strain on the A root server

  • From: Dirk Harms-Merbitz
  • Date: Sat Apr 22 14:26:09 2000

That's what we thought initially. Somebody processing logfiles.

Doesn't look like it though. A remote machine makes our top ten
list and then stays there for days. If we block on a router level
then it seems to get fixed eventually on the other end.

Dirk

On Sat, Apr 22, 2000 at 12:57:54PM -0400, Deepak Jain wrote:
> 
> Depending on how the statistical distribution is falling, I would venture
> a guess to say its web companies resolving their web hit's DNS. 
> 
> My logic is this: 
> 
> The number of requests in a short time is very high, and as sites generate
> more and more logs the number of requests goes up.  Since many of these
> sites (even small ones) could easily overwhelm their ISP (in the case of a
> hosting company) of their hosting company (in the case of an individual
> customer)'s name servers, these guys are forced to do 100% of the queries
> themselves. 
> 
> Many of these log resolvers don't have name-lookup caching anywhere near
> as sophisticated as bind, and some won't maintain their cache between
> different log run (picture running the logs for 10,000 virtual domains
> individually -- each night). 
> 
> And/or:
> 
> I would guess that most new unix/other os installs that are expected to
> be on the net probably default talking directly to the root zone instead
> of their immediate upstream ISP. (From a software point-of-view, its
> easier than asking the customer what his local DNS server is, and then
> having the same customer call support when his DNS doesn't work).
> 
> Last theory is just math:
> 
> As the number of domains goes up, the statistical probability of any
> particular domain being cached in any large DNS server goes down.
> (Especially if the ISP hasn't been very good about growing the size of
> their BIND cache). I can see no reason why these same BIND servers won't
> start making 10-15% more requests to the root servers each (on say growth
> of 40-60% in the number of domains, and probably lower overall
> cache/refresh times). This, with some servers doing many times that
> because they are more directly affected by the increase in domains (more
> and more unique domains, fewer persistent/repeat inquiries).
> 
> 
> Deepak Jain
> AiNET
> 
> 
> On Sat, 22 Apr 2000, Dirk Harms-Merbitz wrote:
> 
> > 
> > We are seeing a small number of machines that almost do DOS
> > attacks so many hits are being requested.
> > 
> > It started a few months ago. The number of machines that do
> > this seems to be slowly increasing.
> > 
> > Could this be a configuration problem in some companies new
> > DNS server software?
> > 
> > Dirk
> > 
> > On Sat, Apr 22, 2000 at 11:56:37AM -0400, Nick Patience wrote:
> > > 
> > > Hi all,
> > > 
> > > Disclosure: I'm a journalist with a company called the451.com (details in
> > > sig file).
> > > 
> > > Anyhow, that said, I was talking to Network Solutions about their decision
> > > to swap out the Sun box that is the A root server and change it for a more
> > > powerful RS/6000 S80. Also it is using IBM servers for its new network of
> > > name servers - it has already deployed 8 of the intended 12 according to the
> > > company, including one brought on stream two days ago in Hong Kong.
> > > 
> > > As most on this list probably already know, it is separating the root
> > > servers from the name servers.
> > > 
> > > Anyhow, NSI claims that the strain on the A root server has jumped from 220
> > > million 'hits' to 420 million during Q1 alone. I haven't managed to define
> > > what hit is yet but intend to at some point.
> > > 
> > > NSI seems slightly unsure as to the main reason for the increase in hits,
> > > but speculates that one of the reasons may be
> > > says the main reason for this is that ISP's are using different caching
> > > techniques and more & more searches are going right to the top of the tree
> > > than before.
> > > 
> > > What do people on this list feel about this as a reason? It seems a little
> > > woolly to me.
> > > 
> > > Cheers,
> > > 
> > > Nick
> > > 
> > > --
> > > Nick Patience
> > > Internet Editor & NY Dep. Bureau Chief
> > > the451.com | wap.the451.com
> > > T: 212 460 7131  M: 917 312 5712  F: 413 826 8217
> > > [email protected]
> > > 
> > > 
> > 
> > 
>