slow non-cached quries

[Matus UHLAR - fantomas]

>> On 09.09.11 19:31, TMK wrote: >We have find the reason why our 
>network analyzer report that bind is >responding to a.root-server.net 
>in 30 sec.

Oh, does gmail rewrap lines in incoming messages? In the same stupid 
way as Outlook does? Can you please turn it off?

>> does your server respond to a.root-servers.net, or does a.root-servers.netrespond to your BIND?

On 09.09.11 22:34, TMK wrote:
>A.root-server.net is query being sent from some of our clients.

Are they asking for IP Address of A.root-server.net?

>> who is sending those packets? Is that your BIND?

>Like I said it is being send from some infected customers to our cache dns

If they are sending queries to your DNS cache, they can not affect 
where will it send further queries

>> >Just one question why doesn't the bind drop such packets.
>>
>> apparently it does and that's why it's so slow...
>
>No it doesn't the capture shows it has responded to every and packet of
>those but dut to having the same source ports and the identification I'd the
>traffic analyzer is unable to correctly link the requests with the replies.

same source port and identification? Do any answers come back? Coulr 
you please provide sample of tcpdump/wireshark logs to show at least 
2-3 outgoing and a few of incoming packets?

>All those packets are from source port 3037

What is the destination port?
Does your BIND lie behind some proxy, filter or firewall that can 
affect source port?
Or, does your BIND have configured port 3037 for outgoing queries?

Note that BIND versions released in last 3 years randomize source ports 
unless they are told not to do so (which is very bad idea, unless 
someone does that for them).


-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.