Vista machines DOSing our bind servers
David Holder
david.holder at erion.co.uk
Tue Nov 27 19:25:51 UTC 2007
Hi!
This is not bogus traffic. Vista is attempting to discover local ISATAP
routers which it can use to route ISATAP IPv6 datagrams. It will look
for the name isatap in all of the domains in your search list.
You can disable this from the command prompt thus:
netsh interface ipv6 isatap set state state=disabled
If you are not using ISATAP this will not cause you any problems.
Regards,
David
------------------------------------------------------------------------
Dr David Holder CEng FIET MIEEE
Erion Ltd, Oakleigh, Upper Sutherland Road, Halifax, HX3 8NT
Reception: +44 (0)1422 207000
Direct Dial: +44 (0)131 2026317
Cell: +44 (0) 7768 456831
Registered in England and Wales. Registered Number 3521142
VAT Number: GB 698 3633 78
Fr34k wrote:
> Hello,
>
> I have been seeing a lot of identical bogus queries from the same clients.
> Looks like we are seeing that isatap traffic, too:
>
> # snoop -r port 53 | grep isatap
>
> DNS C isatap.Belkin. Internet Addr ?
> DNS C isatap.Belkin. Internet Addr ?
> DNS C isatap.Belkin. Internet Addr ?
> DNS C isatap.Belkin. Internet Addr ?
> DNS C isatap.WorkGroup. Internet Addr ?
> DNS C isatap.WorkGroup. Internet Addr ?
> DNS C isatap.a.domain.suffix.com. Internet Addr ?
> DNS C isatap. Internet Addr ?
> ^C
>
>
> Interesting.
>
> It seems that tuning a few "clients-per-query" options helps to mitigate the flood of idential queries.
> For example,
>
> clients-per-query 10 ; (default is 10)
> max-clients-per-query 50 ; (default is 100)
>
> See the Bv9ARM.pdf at isc.org for more about these options and what may work best for you.
>
> Hope this helps -- Chris
>
>
> ----- Original Message ----
> From: Kirsten Petersen <kirsten.petersen at oregonstate.edu>
> To: bind-users at isc.org
> Sent: Tuesday, November 27, 2007 1:00:00 PM
> Subject: Vista machines DOSing our bind servers
>
> Has anyone else seen this issue where Vista machines slam the name servers
> with repeated requests for the same lookup? Yesterday, both of our name
> servers were taken out of commission by a pair of Vista workstations on
> our network that were each pushing almost 10Mb in DNS requests. A tcpdump
> at the time showed that they were asking repeatedly for the same AAAA
> record.
>
> This has happened about 4 times to us in the past 3 weeks. Each time,
> the machines were asking for different domain names, totally unrelated.
> So, I don't believe there is anything special about the record itself.
> The machines have been scanned for viruses and malware, of course, and
> came up clean. The owners of the machines were not even present when the
> incident occurred.
>
> I have read through this thread on Educause:
> http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind07&L=netman&D=0&T=0&P=27697
>
> From that discussion, it appears the issue is with Vista's implementation
> of IPv6. From my discussion with a Microsoft tech yesterday, they are
> only seeing this in conjuction with Bind.
>
> Personally, I don't see how this could be an issue with Bind, but I
> thought I would bring the discussion here to see if anyone else has run
> into this, and find out what they have learned. We are a bit hamstrung in
> collecting information on these hosts because they are personally-owned
> machines in our Residence halls, and getting a hold of the students who
> own them is not always easy.
>
> Thanks in advance. My apologies if this has already been discussed. I
> didn't find anything in the archives, but I may have just missed it.
>
>
>
> ________________
> Kirsten Petersen
> Network Services * Oregon State University
> http://oregonstate.edu/net * irc.oregonstate.edu #osu-is
> "If you're not learning, you're not living."
>
>
>
More information about the bind-users
mailing list