On 26. Mar 2004, at 19:25 Uhr, Wescott, David H wrote:
Clarified Post:
Just to clarify, this is not normal DNS traffic. Consider that the rate is 1000+ frames per second, and that this traffic is going to all configured DNS servers simultaneously.
>> In addition, these are not the expected DNS queries carried by UDP. These are TCP SYN
frames to port 53.
>>When the DNS server responds with a SYN ACK, the Ethereal client aborts the connection
with a TCP RESET.
>> his traffic is continuous until Ethereal is aborted, and no DNS information is gained,
since all these port 53 connection attempts are unsuccessful.
>>In one case, an impacted user left their machine running in this state for 3 hours and
this high rate of DNS traffic was constant for the entire time.
>> We have observed that this condition occurs during display and not capture, and that
it will push the client CPU to 100%.
>>we believe that this is some type of bug, and not normal DNS traffic. This condition
only occurs when Ethereal is used, and of course only if DNS lookups are enabled.
>> However, we would like to get this corrected, so that DNS lookups can be used.
FYI:
DNS header has a flags field with a TC bit that indicates if the data is truncated - When
a DNS UDP reply packet exceeds 512 bytes
When the resolver receives a response to a query with the TC bit set, it issues the same
query again using TCP. This allows more than 512 bytes to be returned because TCP can data
in segments...
Zone transfers are also done using TCP because of the large transfers.
So its not that DNS TCP SYNs to nameserver:53 that worry me rather
Consider that the rate is 1000+ frames per second, and that this traffic is going to all
configured DNS servers simultaneously.
Looks like poor man's version of a denial of service hack to me...
Rgrds