What can cause excessive amount of _dns-sd queries?

Dwayne Hottinger dhottinger at harrisonburg.k12.va.us
Thu Aug 23 14:47:01 UTC 2012 

is there someway to alleviate this?

On 8/23/12, Manson, John <John.Manson at mail.house.gov> wrote:
> Good explanation of Service Discovery:
> http://www.dns-sd.org/
>
> Also, Bonjour is a big offender:
> http://en.wikipedia.org/wiki/Bonjour_%28software%29
> A lot of Apple apps use it like itunes.
>
> -----Original Message-----
> From: bind-users-bounces+john.manson=mail.house.gov at lists.isc.org
> [mailto:bind-users-bounces+john.manson=mail.house.gov at lists.isc.org] On
> Behalf Of bind-users-request at lists.isc.org
> Sent: Thursday, August 23, 2012 8:00 AM
> To: bind-users at lists.isc.org
> Subject: bind-users Digest, Vol 1292, Issue 1
>
> Send bind-users mailing list submissions to
>         bind-users at lists.isc.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.isc.org/mailman/listinfo/bind-users
> or, via email, send a message with subject or body 'help' to
>         bind-users-request at lists.isc.org
>
> You can reach the person managing the list at
>         bind-users-owner at lists.isc.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of bind-users digest..."
>
>
> Today's Topics:
>
>    1. Question about connections to BIND and tcp 443 (Moore, Mark A.)
>    2. Re: Question about connections to BIND and tcp 443 (SM)
>    3. Re: Question about connections to BIND and tcp 443 (Adam Tkac)
>    4. Re: Question about connections to BIND and tcp 443 (Jan-Piet Mens)
>    5. What can cause excessive amount of _dns-sd queries? (Eivind Olsen)
>    6. Re: What can cause excessive amount of _dns-sd queries?
>       (Torsten Segner)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 22 Aug 2012 08:38:18 -0600
> From: "Moore, Mark A." <mmoore at osmre.gov>
> To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
> Subject: Question about connections to BIND and tcp 443
> Message-ID:
>
> <600147D5023CD8459B2A5D2861CCF9EE42C88FBAAB at IESDENREXMB05.eis.doi.net>
> Content-Type: text/plain; charset="us-ascii"
>
> Good afternoon. We are currently running BIND on our RHEL 5.x servers and
> see connection attempts from our internal clients to the BIND on tcp 443.
> They are currently being block from connecting to 443 since these servers
> are only DNS. Is there any reason for clients to connect to tcp 443 for any
> type of DNS resolution? Just want to confirm before I dig deeper into this
> issue.
>
> Thx in advance for any assistance provided.
>
> Mark
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <https://lists.isc.org/pipermail/bind-users/attachments/20120822/179af608/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 22 Aug 2012 08:06:15 -0700
> From: SM <sm at resistor.net>
> To: "Moore, Mark A." <mmoore at osmre.gov>
> Cc: bind-users at lists.isc.org
> Subject: Re: Question about connections to BIND and tcp 443
> Message-ID: <6.2.5.6.2.20120822080430.09244918 at resistor.net>
> Content-Type: text/plain; charset="us-ascii"; format=flowed
>
> At 07:38 22-08-2012, Moore, Mark A. wrote:
>>from connecting to 443 since these servers are only DNS. Is there
>>any reason for clients to connect to tcp 443 for any type of DNS
>>resolution? Just want to confirm before I dig deeper into this issue.
>
> No.
>
> Regards,
> -sm
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 22 Aug 2012 11:31:51 -0400
> From: Adam Tkac <atkac at redhat.com>
> To: "Moore, Mark A." <mmoore at osmre.gov>
> Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
> Subject: Re: Question about connections to BIND and tcp 443
> Message-ID: <20120822153150.GA21165 at redhat.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Wed, Aug 22, 2012 at 08:38:18AM -0600, Moore, Mark A. wrote:
>> Good afternoon. We are currently running BIND on our RHEL 5.x servers and
>> see connection attempts from our internal clients to the BIND on tcp 443.
>> They are currently being block from connecting to 443 since these servers
>> are only DNS. Is there any reason for clients to connect to tcp 443 for
>> any type of DNS resolution? Just want to confirm before I dig deeper into
>> this issue.
>>
>> Thx in advance for any assistance provided.
>>
>> Mark
>
> If some of your clients use dnssec-trigger for DNSSEC setup
> (http://www.nlnetlabs.nl/projects/dnssec-trigger), it can probe your server
> for "DNS-over-SSL". Check dnssec-trigger overview, section "How does it
> work" for more details.
>
> Note this doesn't mean you should allow connections to port 443.
>
> Regards, Adam
>
> --
> Adam Tkac, Red Hat, Inc.
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 22 Aug 2012 19:27:23 +0200
> From: Jan-Piet Mens <jpmens.dns at gmail.com>
> To: bind-users at lists.isc.org
> Subject: Re: Question about connections to BIND and tcp 443
> Message-ID: <20120822172723.GA81184 at jmbp.ww.mens.de>
> Content-Type: text/plain; charset=us-ascii
>
>> They are currently being block from connecting to 443 since these
>> servers are only DNS. Is there any reason for clients to connect to
>> tcp 443 for any type of DNS resolution?
>
> Sounds a bit as though your clients think the BIND box is a HTTP origin
> server... I'd look into what programs they're running and how those are
> configured. Other than that, no: there is no reason for a typical DNS
> client to attempt TCP/443 unless your clients are running dnssec-trigger
> [1]
>
>         -JP
>
> [1] http://www.nlnetlabs.nl/projects/dnssec-trigger/
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 23 Aug 2012 13:43:32 +0200
> From: "Eivind Olsen" <eivind at aminor.no>
> To: bind-users at lists.isc.org
> Subject: What can cause excessive amount of _dns-sd queries?
> Message-ID:
>         <f1b6bb7cae5eb19a9c6014f2898661e7.squirrel at webmail.aminor.no>
> Content-Type: text/plain;charset=iso-8859-1
>
> Hello.
>
> I haven't seen this before.. I'm currently seeing someone (1 ip address)
> do about 2.1 million queries / hour where a majority of the queries seem
> to be:
>
> b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
> db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
> r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
> talk.l.google.com IN A +
> gmail-pop.l.google.com IN A +
> gmail-imap.l.google.com IN A +
>
> ...and similar variations of these.
>
> Have any of you seen something like this before?
>
> Regards
> Eivind Olsen
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 23 Aug 2012 13:58:57 +0200
> From: Torsten Segner <torsten at segner.eu>
> To: bind-users at lists.isc.org
> Subject: Re: What can cause excessive amount of _dns-sd queries?
> Message-ID:
>         <20120823135857.5f1ccd9b at hp-tsegner.adoffice.local.de.easynet.net>
> Content-Type: text/plain; charset=US-ASCII
>
> Am Thu, 23 Aug 2012 13:43:32 +0200
> schrieb "Eivind Olsen" <eivind at aminor.no>:
>
>> Hello.
>>
>> I haven't seen this before.. I'm currently seeing someone (1 ip address)
>> do about 2.1 million queries / hour where a majority of the queries seem
>> to be:
>>
>> b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
>> db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
>> r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
>> talk.l.google.com IN A +
>> gmail-pop.l.google.com IN A +
>> gmail-imap.l.google.com IN A +
>>
>> ...and similar variations of these.
>>
>> Have any of you seen something like this before?
>>
>
>
> Hi Eivind,
>
> these seem to be DNS Service Discovery requests and yes, we see loads of
> them on our servers.
>
>
> http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt
>
>
>
> Ciao
> Torsten
>
>
> ------------------------------
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
> End of bind-users Digest, Vol 1292, Issue 1
> *******************************************
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

More information about the bind-users mailing list