North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: DNS DOS increasing?

  • From: James Smith
  • Date: Tue Jan 22 13:14:05 2002

Title: RE: DNS DOS increasing?

-----Original Message-----
From: E.B. Dreger [mailto:[email protected]]
Sent: Tuesday, January 22, 2002 12:51 AM
To: just me
Cc: Miquel van Smoorenburg; [email protected]
Subject: Re: DNS DOS increasing?

That's not the problem.  It's ill-behaved clients that ignore TTL
and query every 10s no matter what.  See some of James Smith's

Methinks I have been misunderstood or I have obfuscated my own point... The dns server is set to give a 10 second TTL to the dns client. The entry ages out in 10 seconds, so the client (following expected practice) ages the entry out. 15 seconds later, when they click on the next button on the web page (for example), they have to go get the IP again.  This the DOS (DDOS?) like behavior.

Sure the dns client is hammering the dns server, but the server is telling it to by giving out an absurdly short TTL... The server is ASKING FOR IT by setting it's TTL to 10 seconds. The client can't help it, it is just doing what it has been told.

Why It Does It This Way
The mechanism this dns server uses for selecting which IP to respond with is a ping to check upstream connectivity. This box pings constantly, looking for a fail. When link failure is detected, the box starts feeding DNS queries with responses from the other links subnet. The short ttl ensures that dns clients age out the info fast enough to make a near seamless failover to the other link.

Since the box is authoritative for the zone, and has interfaces in more than one subnet or provider, the failure of one link means that the normal dns mechanism of going to the next responsive dns server points users to the remaining good link, and the box obliges by serving out responses that point the client back down the good link.

James H. Smith II  NNCDS NNCSE
Systems Engineer
The Presidio Corporation

I speak for myself, and that gets me into enough trouble.
(back to lurk mode...)