What can cause excessive amount of _dns-sd queries?

Manson, John John.Manson at mail.house.gov
Thu Aug 23 14:22:51 UTC 2012 

Good explanation of Service Discovery:
http://www.dns-sd.org/

Also, Bonjour is a big offender:
http://en.wikipedia.org/wiki/Bonjour_%28software%29
A lot of Apple apps use it like itunes.

-----Original Message-----
From: bind-users-bounces+john.manson=mail.house.gov at lists.isc.org [mailto:bind-users-bounces+john.manson=mail.house.gov at lists.isc.org] On Behalf Of bind-users-request at lists.isc.org
Sent: Thursday, August 23, 2012 8:00 AM
To: bind-users at lists.isc.org
Subject: bind-users Digest, Vol 1292, Issue 1

Send bind-users mailing list submissions to
        bind-users at lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
        bind-users-request at lists.isc.org

You can reach the person managing the list at
        bind-users-owner at lists.isc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."


Today's Topics:

   1. Question about connections to BIND and tcp 443 (Moore, Mark A.)
   2. Re: Question about connections to BIND and tcp 443 (SM)
   3. Re: Question about connections to BIND and tcp 443 (Adam Tkac)
   4. Re: Question about connections to BIND and tcp 443 (Jan-Piet Mens)
   5. What can cause excessive amount of _dns-sd queries? (Eivind Olsen)
   6. Re: What can cause excessive amount of _dns-sd queries?
      (Torsten Segner)


----------------------------------------------------------------------

Message: 1
Date: Wed, 22 Aug 2012 08:38:18 -0600
From: "Moore, Mark A." <mmoore at osmre.gov>
To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Question about connections to BIND and tcp 443
Message-ID:
        <600147D5023CD8459B2A5D2861CCF9EE42C88FBAAB at IESDENREXMB05.eis.doi.net>
Content-Type: text/plain; charset="us-ascii"

Good afternoon. We are currently running BIND on our RHEL 5.x servers and see connection attempts from our internal clients to the BIND on tcp 443. They are currently being block from connecting to 443 since these servers are only DNS. Is there any reason for clients to connect to tcp 443 for any type of DNS resolution? Just want to confirm before I dig deeper into this issue.

Thx in advance for any assistance provided.

Mark

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120822/179af608/attachment-0001.html>

------------------------------

Message: 2
Date: Wed, 22 Aug 2012 08:06:15 -0700
From: SM <sm at resistor.net>
To: "Moore, Mark A." <mmoore at osmre.gov>
Cc: bind-users at lists.isc.org
Subject: Re: Question about connections to BIND and tcp 443
Message-ID: <6.2.5.6.2.20120822080430.09244918 at resistor.net>
Content-Type: text/plain; charset="us-ascii"; format=flowed

At 07:38 22-08-2012, Moore, Mark A. wrote:
>from connecting to 443 since these servers are only DNS. Is there
>any reason for clients to connect to tcp 443 for any type of DNS
>resolution? Just want to confirm before I dig deeper into this issue.

No.

Regards,
-sm



------------------------------

Message: 3
Date: Wed, 22 Aug 2012 11:31:51 -0400
From: Adam Tkac <atkac at redhat.com>
To: "Moore, Mark A." <mmoore at osmre.gov>
Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Re: Question about connections to BIND and tcp 443
Message-ID: <20120822153150.GA21165 at redhat.com>
Content-Type: text/plain; charset=us-ascii

On Wed, Aug 22, 2012 at 08:38:18AM -0600, Moore, Mark A. wrote:
> Good afternoon. We are currently running BIND on our RHEL 5.x servers and see connection attempts from our internal clients to the BIND on tcp 443. They are currently being block from connecting to 443 since these servers are only DNS. Is there any reason for clients to connect to tcp 443 for any type of DNS resolution? Just want to confirm before I dig deeper into this issue.
>
> Thx in advance for any assistance provided.
>
> Mark

If some of your clients use dnssec-trigger for DNSSEC setup (http://www.nlnetlabs.nl/projects/dnssec-trigger), it can probe your server for "DNS-over-SSL". Check dnssec-trigger overview, section "How does it work" for more details.

Note this doesn't mean you should allow connections to port 443.

Regards, Adam

--
Adam Tkac, Red Hat, Inc.


------------------------------

Message: 4
Date: Wed, 22 Aug 2012 19:27:23 +0200
From: Jan-Piet Mens <jpmens.dns at gmail.com>
To: bind-users at lists.isc.org
Subject: Re: Question about connections to BIND and tcp 443
Message-ID: <20120822172723.GA81184 at jmbp.ww.mens.de>
Content-Type: text/plain; charset=us-ascii

> They are currently being block from connecting to 443 since these
> servers are only DNS. Is there any reason for clients to connect to
> tcp 443 for any type of DNS resolution?

Sounds a bit as though your clients think the BIND box is a HTTP origin
server... I'd look into what programs they're running and how those are
configured. Other than that, no: there is no reason for a typical DNS
client to attempt TCP/443 unless your clients are running dnssec-trigger
[1]

        -JP

[1] http://www.nlnetlabs.nl/projects/dnssec-trigger/


------------------------------

Message: 5
Date: Thu, 23 Aug 2012 13:43:32 +0200
From: "Eivind Olsen" <eivind at aminor.no>
To: bind-users at lists.isc.org
Subject: What can cause excessive amount of _dns-sd queries?
Message-ID:
        <f1b6bb7cae5eb19a9c6014f2898661e7.squirrel at webmail.aminor.no>
Content-Type: text/plain;charset=iso-8859-1

Hello.

I haven't seen this before.. I'm currently seeing someone (1 ip address)
do about 2.1 million queries / hour where a majority of the queries seem
to be:

b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
talk.l.google.com IN A +
gmail-pop.l.google.com IN A +
gmail-imap.l.google.com IN A +

...and similar variations of these.

Have any of you seen something like this before?

Regards
Eivind Olsen




------------------------------

Message: 6
Date: Thu, 23 Aug 2012 13:58:57 +0200
From: Torsten Segner <torsten at segner.eu>
To: bind-users at lists.isc.org
Subject: Re: What can cause excessive amount of _dns-sd queries?
Message-ID:
        <20120823135857.5f1ccd9b at hp-tsegner.adoffice.local.de.easynet.net>
Content-Type: text/plain; charset=US-ASCII

Am Thu, 23 Aug 2012 13:43:32 +0200
schrieb "Eivind Olsen" <eivind at aminor.no>:

> Hello.
>
> I haven't seen this before.. I'm currently seeing someone (1 ip address)
> do about 2.1 million queries / hour where a majority of the queries seem
> to be:
>
> b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
> db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
> r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
> talk.l.google.com IN A +
> gmail-pop.l.google.com IN A +
> gmail-imap.l.google.com IN A +
>
> ...and similar variations of these.
>
> Have any of you seen something like this before?
>


Hi Eivind,

these seem to be DNS Service Discovery requests and yes, we see loads of them on our servers.


http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt



Ciao
Torsten


------------------------------

_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

End of bind-users Digest, Vol 1292, Issue 1
*******************************************

More information about the bind-users mailing list