Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
What can cause excessive amount of _dns-sd queries?
1,675 views
Skip to first unread message
Eivind Olsen
Aug 23, 2012, 7:43:32 AM8/23/12
to bind-...@lists.isc.org
Hello.
I haven't seen this before.. I'm currently seeing someone (1 ip address)
do about 2.1 million queries / hour where a majority of the queries seem
to be:
b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
talk.l.google.com IN A +
gmail-pop.l.google.com IN A +
gmail-imap.l.google.com IN A +
...and similar variations of these.
Have any of you seen something like this before?
Regards
Eivind Olsen
I haven't seen this before.. I'm currently seeing someone (1 ip address)
do about 2.1 million queries / hour where a majority of the queries seem
to be:
b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
talk.l.google.com IN A +
gmail-pop.l.google.com IN A +
gmail-imap.l.google.com IN A +
...and similar variations of these.
Have any of you seen something like this before?
Regards
Eivind Olsen
Torsten Segner
Aug 23, 2012, 7:58:57 AM8/23/12
to bind-...@lists.isc.org
Am Thu, 23 Aug 2012 13:43:32 +0200
schrieb "Eivind Olsen" <eiv...@aminor.no>:
Hi Eivind,
these seem to be DNS Service Discovery requests and yes, we see loads of them on our servers.
http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt
Ciao
Torsten
schrieb "Eivind Olsen" <eiv...@aminor.no>:
these seem to be DNS Service Discovery requests and yes, we see loads of them on our servers.
http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt
Ciao
Torsten
Eivind Olsen
Aug 23, 2012, 9:18:06 AM8/23/12
to bind-...@lists.isc.org
Torsten Segner wrote:
> these seem to be DNS Service Discovery requests and yes, we see loads of
> them on our servers.
Yeah, now I'm just wondering which OS / application / malware / whatever
> these seem to be DNS Service Discovery requests and yes, we see loads of
> them on our servers.
could be responsible for this :)
(no, the client isn't directly under my control, it belongs to some customer)
Regards
Eivind Olsen
WBr...@e1b.org
Aug 23, 2012, 10:04:32 AM8/23/12
to Eivind Olsen, bind-users-bounc...@lists.isc.org, bind-...@lists.isc.org
Elvind wrote on 08/23/2012 09:18:06 AM:
> Yeah, now I'm just wondering which OS / application / malware / whatever
> could be responsible for this :)
Someone trying to use ZeroCOnf: http://zeroconf.org I believe Macs come
> Yeah, now I'm just wondering which OS / application / malware / whatever
> could be responsible for this :)
configured to use it by default, Linux and Windows can be configured to
use it.
> (no, the client isn't directly under my control, it belongs to some
customer)
Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
Lightner, Jeff
Aug 23, 2012, 10:08:55 AM8/23/12
to WBr...@e1b.org, Eivind Olsen, bind-users-bounc...@lists.isc.org, bind-...@lists.isc.org
Maybe blocking access by that IP will force the customer's tech folks to contact you?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer
---------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer
---------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------
Manson, John
Aug 23, 2012, 10:22:51 AM8/23/12
to bind-...@lists.isc.org
Good explanation of Service Discovery:
http://www.dns-sd.org/
Also, Bonjour is a big offender:
http://en.wikipedia.org/wiki/Bonjour_%28software%29
A lot of Apple apps use it like itunes.
-----Original Message-----
From: bind-users-bounces+john.manson=mail.ho...@lists.isc.org [mailto:bind-users-bounces+john.manson=mail.ho...@lists.isc.org] On Behalf Of bind-user...@lists.isc.org
Sent: Thursday, August 23, 2012 8:00 AM
To: bind-...@lists.isc.org
Subject: bind-users Digest, Vol 1292, Issue 1
Send bind-users mailing list submissions to
bind-...@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-user...@lists.isc.org
You can reach the person managing the list at
bind-use...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."
Today's Topics:
1. Question about connections to BIND and tcp 443 (Moore, Mark A.)
2. Re: Question about connections to BIND and tcp 443 (SM)
3. Re: Question about connections to BIND and tcp 443 (Adam Tkac)
4. Re: Question about connections to BIND and tcp 443 (Jan-Piet Mens)
5. What can cause excessive amount of _dns-sd queries? (Eivind Olsen)
6. Re: What can cause excessive amount of _dns-sd queries?
(Torsten Segner)
----------------------------------------------------------------------
Message: 1
Date: Wed, 22 Aug 2012 08:38:18 -0600
From: "Moore, Mark A." <mmo...@osmre.gov>
To: "bind-...@lists.isc.org" <bind-...@lists.isc.org>
Subject: Question about connections to BIND and tcp 443
Message-ID:
<600147D5023CD8459B2A5...@IESDENREXMB05.eis.doi.net>
Content-Type: text/plain; charset="us-ascii"
Good afternoon. We are currently running BIND on our RHEL 5.x servers and see connection attempts from our internal clients to the BIND on tcp 443. They are currently being block from connecting to 443 since these servers are only DNS. Is there any reason for clients to connect to tcp 443 for any type of DNS resolution? Just want to confirm before I dig deeper into this issue.
Thx in advance for any assistance provided.
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120822/179af608/attachment-0001.html>
------------------------------
Message: 2
Date: Wed, 22 Aug 2012 08:06:15 -0700
From: SM <s...@resistor.net>
To: "Moore, Mark A." <mmo...@osmre.gov>
Cc: bind-...@lists.isc.org
Subject: Re: Question about connections to BIND and tcp 443
Message-ID: <6.2.5.6.2.201208...@resistor.net>
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 07:38 22-08-2012, Moore, Mark A. wrote:
>from connecting to 443 since these servers are only DNS. Is there
>any reason for clients to connect to tcp 443 for any type of DNS
>resolution? Just want to confirm before I dig deeper into this issue.
No.
Regards,
-sm
------------------------------
Message: 3
Date: Wed, 22 Aug 2012 11:31:51 -0400
From: Adam Tkac <at...@redhat.com>
To: "Moore, Mark A." <mmo...@osmre.gov>
Cc: "bind-...@lists.isc.org" <bind-...@lists.isc.org>
Subject: Re: Question about connections to BIND and tcp 443
Message-ID: <20120822153...@redhat.com>
Content-Type: text/plain; charset=us-ascii
On Wed, Aug 22, 2012 at 08:38:18AM -0600, Moore, Mark A. wrote:
> Good afternoon. We are currently running BIND on our RHEL 5.x servers and see connection attempts from our internal clients to the BIND on tcp 443. They are currently being block from connecting to 443 since these servers are only DNS. Is there any reason for clients to connect to tcp 443 for any type of DNS resolution? Just want to confirm before I dig deeper into this issue.
>
> Thx in advance for any assistance provided.
>
> Mark
If some of your clients use dnssec-trigger for DNSSEC setup (http://www.nlnetlabs.nl/projects/dnssec-trigger), it can probe your server for "DNS-over-SSL". Check dnssec-trigger overview, section "How does it work" for more details.
Note this doesn't mean you should allow connections to port 443.
Regards, Adam
--
Adam Tkac, Red Hat, Inc.
------------------------------
Message: 4
Date: Wed, 22 Aug 2012 19:27:23 +0200
From: Jan-Piet Mens <jpmen...@gmail.com>
To: bind-...@lists.isc.org
Subject: Re: Question about connections to BIND and tcp 443
Message-ID: <20120822172...@jmbp.ww.mens.de>
Content-Type: text/plain; charset=us-ascii
> They are currently being block from connecting to 443 since these
> servers are only DNS. Is there any reason for clients to connect to
> tcp 443 for any type of DNS resolution?
Sounds a bit as though your clients think the BIND box is a HTTP origin
server... I'd look into what programs they're running and how those are
configured. Other than that, no: there is no reason for a typical DNS
client to attempt TCP/443 unless your clients are running dnssec-trigger
[1]
-JP
[1] http://www.nlnetlabs.nl/projects/dnssec-trigger/
------------------------------
Message: 5
Date: Thu, 23 Aug 2012 13:43:32 +0200
From: "Eivind Olsen" <eiv...@aminor.no>
To: bind-...@lists.isc.org
Subject: What can cause excessive amount of _dns-sd queries?
Message-ID:
<f1b6bb7cae5eb19a9c60...@webmail.aminor.no>
Content-Type: text/plain;charset=iso-8859-1
Hello.
I haven't seen this before.. I'm currently seeing someone (1 ip address)
do about 2.1 million queries / hour where a majority of the queries seem
to be:
b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
talk.l.google.com IN A +
gmail-pop.l.google.com IN A +
gmail-imap.l.google.com IN A +
...and similar variations of these.
Have any of you seen something like this before?
Regards
Eivind Olsen
------------------------------
Message: 6
Date: Thu, 23 Aug 2012 13:58:57 +0200
From: Torsten Segner <tor...@segner.eu>
To: bind-...@lists.isc.org
<20120823135...@hp-tsegner.adoffice.local.de.easynet.net>
Content-Type: text/plain; charset=US-ASCII
Am Thu, 23 Aug 2012 13:43:32 +0200
schrieb "Eivind Olsen" <eiv...@aminor.no>:
> Hello.
>
> I haven't seen this before.. I'm currently seeing someone (1 ip address)
> do about 2.1 million queries / hour where a majority of the queries seem
> to be:
>
> b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
> db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
> r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
> talk.l.google.com IN A +
> gmail-pop.l.google.com IN A +
> gmail-imap.l.google.com IN A +
>
> ...and similar variations of these.
>
> Have any of you seen something like this before?
>
Hi Eivind,
Ciao
Torsten
------------------------------
_______________________________________________
End of bind-users Digest, Vol 1292, Issue 1
*******************************************
http://www.dns-sd.org/
Also, Bonjour is a big offender:
http://en.wikipedia.org/wiki/Bonjour_%28software%29
A lot of Apple apps use it like itunes.
-----Original Message-----
From: bind-users-bounces+john.manson=mail.ho...@lists.isc.org [mailto:bind-users-bounces+john.manson=mail.ho...@lists.isc.org] On Behalf Of bind-user...@lists.isc.org
Sent: Thursday, August 23, 2012 8:00 AM
To: bind-...@lists.isc.org
Subject: bind-users Digest, Vol 1292, Issue 1
Send bind-users mailing list submissions to
bind-...@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-user...@lists.isc.org
You can reach the person managing the list at
bind-use...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."
Today's Topics:
1. Question about connections to BIND and tcp 443 (Moore, Mark A.)
2. Re: Question about connections to BIND and tcp 443 (SM)
3. Re: Question about connections to BIND and tcp 443 (Adam Tkac)
4. Re: Question about connections to BIND and tcp 443 (Jan-Piet Mens)
5. What can cause excessive amount of _dns-sd queries? (Eivind Olsen)
6. Re: What can cause excessive amount of _dns-sd queries?
(Torsten Segner)
----------------------------------------------------------------------
Message: 1
Date: Wed, 22 Aug 2012 08:38:18 -0600
From: "Moore, Mark A." <mmo...@osmre.gov>
To: "bind-...@lists.isc.org" <bind-...@lists.isc.org>
Subject: Question about connections to BIND and tcp 443
Message-ID:
<600147D5023CD8459B2A5...@IESDENREXMB05.eis.doi.net>
Content-Type: text/plain; charset="us-ascii"
Good afternoon. We are currently running BIND on our RHEL 5.x servers and see connection attempts from our internal clients to the BIND on tcp 443. They are currently being block from connecting to 443 since these servers are only DNS. Is there any reason for clients to connect to tcp 443 for any type of DNS resolution? Just want to confirm before I dig deeper into this issue.
Thx in advance for any assistance provided.
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120822/179af608/attachment-0001.html>
------------------------------
Message: 2
Date: Wed, 22 Aug 2012 08:06:15 -0700
From: SM <s...@resistor.net>
To: "Moore, Mark A." <mmo...@osmre.gov>
Cc: bind-...@lists.isc.org
Subject: Re: Question about connections to BIND and tcp 443
Message-ID: <6.2.5.6.2.201208...@resistor.net>
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 07:38 22-08-2012, Moore, Mark A. wrote:
>from connecting to 443 since these servers are only DNS. Is there
>any reason for clients to connect to tcp 443 for any type of DNS
>resolution? Just want to confirm before I dig deeper into this issue.
No.
Regards,
-sm
------------------------------
Message: 3
Date: Wed, 22 Aug 2012 11:31:51 -0400
From: Adam Tkac <at...@redhat.com>
To: "Moore, Mark A." <mmo...@osmre.gov>
Cc: "bind-...@lists.isc.org" <bind-...@lists.isc.org>
Subject: Re: Question about connections to BIND and tcp 443
Message-ID: <20120822153...@redhat.com>
Content-Type: text/plain; charset=us-ascii
On Wed, Aug 22, 2012 at 08:38:18AM -0600, Moore, Mark A. wrote:
> Good afternoon. We are currently running BIND on our RHEL 5.x servers and see connection attempts from our internal clients to the BIND on tcp 443. They are currently being block from connecting to 443 since these servers are only DNS. Is there any reason for clients to connect to tcp 443 for any type of DNS resolution? Just want to confirm before I dig deeper into this issue.
>
> Thx in advance for any assistance provided.
>
> Mark
If some of your clients use dnssec-trigger for DNSSEC setup (http://www.nlnetlabs.nl/projects/dnssec-trigger), it can probe your server for "DNS-over-SSL". Check dnssec-trigger overview, section "How does it work" for more details.
Note this doesn't mean you should allow connections to port 443.
Regards, Adam
--
Adam Tkac, Red Hat, Inc.
------------------------------
Message: 4
Date: Wed, 22 Aug 2012 19:27:23 +0200
From: Jan-Piet Mens <jpmen...@gmail.com>
To: bind-...@lists.isc.org
Subject: Re: Question about connections to BIND and tcp 443
Message-ID: <20120822172...@jmbp.ww.mens.de>
Content-Type: text/plain; charset=us-ascii
> They are currently being block from connecting to 443 since these
> servers are only DNS. Is there any reason for clients to connect to
> tcp 443 for any type of DNS resolution?
Sounds a bit as though your clients think the BIND box is a HTTP origin
server... I'd look into what programs they're running and how those are
configured. Other than that, no: there is no reason for a typical DNS
client to attempt TCP/443 unless your clients are running dnssec-trigger
[1]
-JP
[1] http://www.nlnetlabs.nl/projects/dnssec-trigger/
------------------------------
Message: 5
Date: Thu, 23 Aug 2012 13:43:32 +0200
From: "Eivind Olsen" <eiv...@aminor.no>
To: bind-...@lists.isc.org
Subject: What can cause excessive amount of _dns-sd queries?
Message-ID:
<f1b6bb7cae5eb19a9c60...@webmail.aminor.no>
Content-Type: text/plain;charset=iso-8859-1
Hello.
I haven't seen this before.. I'm currently seeing someone (1 ip address)
do about 2.1 million queries / hour where a majority of the queries seem
to be:
b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
talk.l.google.com IN A +
gmail-pop.l.google.com IN A +
gmail-imap.l.google.com IN A +
...and similar variations of these.
Have any of you seen something like this before?
Eivind Olsen
------------------------------
Message: 6
Date: Thu, 23 Aug 2012 13:58:57 +0200
From: Torsten Segner <tor...@segner.eu>
To: bind-...@lists.isc.org
Subject: Re: What can cause excessive amount of _dns-sd queries?
Message-ID:
<20120823135...@hp-tsegner.adoffice.local.de.easynet.net>
Content-Type: text/plain; charset=US-ASCII
Am Thu, 23 Aug 2012 13:43:32 +0200
schrieb "Eivind Olsen" <eiv...@aminor.no>:
> Hello.
>
> I haven't seen this before.. I'm currently seeing someone (1 ip address)
> do about 2.1 million queries / hour where a majority of the queries seem
> to be:
>
> b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
> db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
> r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
> talk.l.google.com IN A +
> gmail-pop.l.google.com IN A +
> gmail-imap.l.google.com IN A +
>
> ...and similar variations of these.
>
> Have any of you seen something like this before?
>
Hi Eivind,
these seem to be DNS Service Discovery requests and yes, we see loads of them on our servers.
http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt
Ciao
Torsten
------------------------------
_______________________________________________
End of bind-users Digest, Vol 1292, Issue 1
*******************************************
Dwayne Hottinger
Aug 23, 2012, 10:47:01 AM8/23/12
to Manson, John, bind-...@lists.isc.org
is there someway to alleviate this?
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools
Manson, John
Aug 23, 2012, 11:34:00 AM8/23/12
to bind-...@lists.isc.org
In our case, 90% of the dns-sd queries were for the 192.168 network.
These are from 1 client:
DNS C db._dns-sd._udp.0.158.168.192.in-addr.arpa. Internet PTR ?
DNS C dr._dns-sd._udp.0.158.168.192.in-addr.arpa. Internet PTR ?
DNS C lb._dns-sd._udp.0.158.168.192.in-addr.arpa. Internet PTR ?
DNS C cf._dns-sd._udp.0.158.168.192.in-addr.arpa. Internet TXT ?
DNS C b._dns-sd._udp.0.9.168.192.in-addr.arpa. Internet PTR ?
(IPs redacted to protect the innocent)
Notice the 5 different queries in quick succession. This is typical.
We tried 2 approaches.
In named.conf, created a zone def for 168.192.in-addr.arpa as a master using the db file db.bogus which contains the soa and ns info only.
This config caused the dns server to return Name Error which encouraged the clients to try more frequently.
The second approach was to change the zone def from master to forward and forward only with the forwarder IP of, in our case, 2.2.2.2.
Added this IP to the blackhole statement to the Options section.
Now the dns server returns Server Fail and the client backs off for a while before trying again.
This configuration does not stop them but does slow them down quite a bit.
Have not tried this on an appliance.
JM
Matus UHLAR - fantomas
Sep 17, 2012, 10:49:50 AM9/17/12
to bind-...@lists.isc.org
On 23.08.12 13:43, Eivind Olsen wrote:
>I haven't seen this before.. I'm currently seeing someone (1 ip address)
>do about 2.1 million queries / hour where a majority of the queries seem
>to be:
>
>b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
>db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
>r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
>talk.l.google.com IN A +
>gmail-pop.l.google.com IN A +
>gmail-imap.l.google.com IN A +
>
>...and similar variations of these.
>
>Have any of you seen something like this before?
I have... a customer was complaining about its clients not able to get to
>I haven't seen this before.. I'm currently seeing someone (1 ip address)
>do about 2.1 million queries / hour where a majority of the queries seem
>to be:
>
>b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
>db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
>r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR +
>talk.l.google.com IN A +
>gmail-pop.l.google.com IN A +
>gmail-imap.l.google.com IN A +
>
>...and similar variations of these.
>
>Have any of you seen something like this before?
sites like facebook, youtube, apple store etc. I don't work for the company
anymore so I have no idea if they have fixed it (the only way I could think
of it was to change the company's DNS architecture
https://lists.isc.org/pipermail/bind-users/2012-April/087314.html
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.
0 new messages