> On 9 Jan 2023, at 15:22, Viktor Dukhovni <[email protected]> wrote: > > On Mon, Jan 09, 2023 at 01:55:29PM +0000, Roy Arends wrote: > >> I’ve often seen this behaviour. >> >> One confirmed explanation was (but there may be more/other) that this >> is the result of a stateful firewall. While the rules are pushed, >> traffic through it is buffereduntil the last rule is pushed, after >> which the buffer is flushed to world, resulting in a barrage of >> queries from the resolver behind the firewall. It depends on the >> resolver what happens with the ID. Some will re-issue the query after >> no response, some re-issue with new ID. > > The repetition of the same DNS query ID and exclusively the same qname > somewhat argues against the firewall theory, because ~100 instances of > just retransmissions of the same query from a resolver seems unlikely, > especially within the time it takes a firewall to reload its ruleset.
This was a confirmed case (the bulk same q-id q-name q-type src-addr thing stood out). Repeatable. It may not be the only explanation, though, but it is not theory. It took a few seconds for the specific firewall to reload rules (Checkpoint was the fw in question iirc). The resolver box would receive a dst host/net unreachable from the FW box, which was about 5 ms away, which resulted in the resolver box re-sending the exact same query, and this looped a bit. The FW would buffer the request and upon the “allow 53 UDP” rule loading, a burst of buffered queries were send (partly towards our DNS servers). I have no access to the specific details, as I’ve left Nominet. However, colleagues posted a few of similar stories about spammy DNS related behaviour at the time. ymmv Roy _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
