network load problem - please help me solve this mystery

Mon Nov 25 02:36:57 UTC 2002

At 11:22 PM 11/23/02, Ronald F. Guilmette wrote:

>Greetings,
>
>I run an anti-spam list based on a DNS zone (proxies.relays.monkeys.com)
>that has become rather popular, to say the least.  Lots of sites seem to
>be using it now.
>
>The bad news, for me at least, is that the sum total of all of the
>queries from all of these sites against this zone is now sucking up
>a LOT of my miniscure bandwidth.  I'm not sure, but I think it is
>verging on totally killing my puny little (384/128) DSL line.  I've
>truned on query logging, just briefly, in my name server (recently
>upgraded to bind 8.3.4) and, yes, I'm definitely receiving hundreds
>of queries per second.  In fact, the rate of incoming queries is
>so bad that when my name server is *not* running (e.g. briefly,
>after a recent system reboot) my FreeBSD kernel noted the high rate
>at which my system was returning port/host unreachable ICMP responses...
>over 200 per second... assumed that this was related to some sort of
>DoS attack, and automatically limited the rate of outbound ICMP
>responses.  (Yes, things really _are_ that bad now.)
>
>This serious loading problem is all occuring on ns1.monkeys.com.
>
>Now before anybody tells me to just get some more secondaries for my
>zone(s), please read on...
>
>I already _do_ have a _lot_ of off-site secondaries signed up that are
>already serving up both the proxies.relays.monkeys.com zone *and* the
>base container zone relays.monkeys.com.
>
>Recently, realizing that I was in dire trouble because of all of this
>DNS load, I even took what seemed to me to be the drastic step of
>removing my own server (ns1.monkeys.com) from the list of authori-
>tative nameservers for the proxies.relays.monkeys.com zone.  (You
>can check this with dig, to verify that I did it right.)  I did that
>more than 24 hours ago, and I did a name server reload at that time.
>(The TTL on the zone is < 24 hours.)
>
>So now, here is the big mystery:  As of this moment, my server, i.e.
>ns1.monkeys.com, is *still* receiving several hundred queries against
>the proxies.relays.monkeys.com zone PER SECOND.
>
>Simple question:  Why?

Part of the answer is that ns1.monkeys.com is a nameserver for the
monkeys.com domain as well as the relays.monkeys.com domain.
So each time it will come through ns1 to get to the nameservers
listed for the proxies domain. You are not going to get rid of queries
that easily.

Danny

>This makes NO sense to me whatsoever.  Given the set of NS declarations
>I have in place, it seems to me that ns1.monkeys.com should, at present
>be receiving *zero* queries (from the outside anyway) against the
>proxies.relays.monkeys.com zone.  Abnd yet here it is, still receiving
>hundreds of queries per second against that zone.  I confess that I'm
>utterly baffled.
>
>I'm fundamentally fairly ignorant about both DNS and BIND, and I know it,
>so please don't worry about hurting my feelings or anything.  I'm perfectly
>willing to endure slings, arrows, insults, and whatever else anybody
>might like to throw at me so long as I can get to the bottom of this
>baffling problem.  Obviously, there is something fundamental and crucial
>that I'm missing.  I hope that someone will take pity on my and clue me
>in to what it might be.  Like I say, this is really killing the small
>amount of bandwidth I have to play with.