A lot of queries from a customer.
Fr34k
freaknetboy at yahoo.com
Tue Jul 17 14:52:10 UTC 2012
We have been monitoring the same.
Google found an unrelated, yet similar, issue a few years ago: http://pages.cs.wisc.edu/~plonka/netgear-sntp/#ToC16
>________________________________
> From: Rafael Molina <rafael.molina at interlink.net.ve>
>To: bind-users at lists.isc.org
>Sent: Thursday, June 28, 2012 8:30 AM
>Subject: A lot of queries from a customer.
>
>
>> Hi,
>>
>> Recently, I have been watching on one DNS server a lot of queries from a customer to ¨time-b.netgear.com¨ (Maybe a Netgear´s NTP server).
>>
>> About 1000 queries per minute.
>>
>> tail -f /var/log/bind9-query.log | grep time-b.netgear.com
>>
>> 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query: time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query: time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query: time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.008 client 186.14.xx.xx#32770: query: time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.009 client 186.14.xx.xx#32770: query: time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.009 client 186.14.xx.xx#32770: query: time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query: time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query: time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query: time-b.netgear.com IN A + (10.1.xx.xx)
>>
>> tcpdump -i eth0 port 53 and host 186.14.xx.xx
>>
>> 12:54:28.375374 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A? time-b.netgear.com. (36)
>> 12:54:28.375479 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A? time-b.netgear.com. (36)
>> 12:54:28.375507 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A? time-b.netgear.com. (36)
>> 12:54:28.375553 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A? time-b.netgear.com. (36)
>> 12:54:28.375638 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 44669+ A? time-b.netgear.com. (36)
>> 12:54:28.376424 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
>> 12:54:28.376525 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
>> 12:54:28.376807 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
>> 12:54:28.376845 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
>> 12:54:28.376906 IP inter.net.ve.domain > 186.14.xx.xx.32770: 44669 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
>> 12:54:28.381638 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 44669+ A? time-b.netgear.com. (36)
>> 12:54:28.381693 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 62683+ A? time-b.netgear.com. (36)
>> 12:54:28.381745 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 50898+ A? time-b.netgear.com. (36)
>> 12:54:28.381869 IP inter.net.ve.domain > 186.14.xx.xx.32770: 44669 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
>> 12:54:28.382011 IP inter.net.ve.domain > 186.14.xx.xx.32770: 62683 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
>> 12:54:28.382058 IP inter.net.ve.domain > 186.14.xx.xx.32770: 50898 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
>>
>> I don´t find the ways to limit of queries per minutes on this customer
>> Is it possible in Bind9 a filtering these queries, to limit the responses ?
>>
>> Thank in advance,
>>
>> Below, I´ve attached my configuration
>>
>> OS: ubuntu 11.10
>> Bind: 9.7.3.dfsg-1ubuntu4.1
>>
>> named.conf.options
>>
>> allow-recursion { corp; };
>> allow-query-cache { corp; };
>>
>> corp : clients.
>>
>> allow-query { any; };
>> clients-per-query 10 ;
>> max-clients-per-query 20 ;
>> blackhole { bogusnets; };
>> version "I hope this is a joke !";
>> edns-udp-size 512;
>> max-udp-size 512;
>> recursive-clients 1000;
>> max-cache-size 500M;
>> tcp-clients 500;
>> max-cache-ttl 43200; # 12 Hours
>> max-ncache-ttl 900; # 15 min
>>
>> Saludos,
>>
>> Atentamente,
>> Rafael J. Molina Q.
>> www.inter.com.ve
>>
>>
>
>
>
>_______________________________________________
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
>bind-users mailing list
>bind-users at lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120717/11dedd37/attachment.html>
More information about the bind-users
mailing list