DNS query saturating T1

Max Kipness max at assuredata.com
Fri Oct 16 19:41:38 IST 2009


This is the strangest thing I've ever seen and just wondering if anyone
has seen this before.

I'm using MailScanner (was the latest 3 months ago) on Fedora 11 using
DNS locally for queries to speed up resolution. The last few weeks, our
T1 has gone down several times and the provider reported that traffic
from inside was causing saturation. They really couldn't, or didn't want
to tell us what system or what port. So I narrowed it down to the
MailScanner server. When the problem would occur you could see the light
blinking or almost solid on the switch port. We simply disconnect and
everything was fine. So I started looking at possible overload of spam,
or virus/Trojan on the server, etc. Nothing on the logs  looked unusual,
so we would plug it back and everything would be fine for a few days.
Then it would happen again. So I installed iptraf, and put in logging
mode and left it there. Well it happened yesterday again, and after
looking over the logs, it appears like the following log entry is the
problem:

Thu Oct 15 12:00:06 2009; UDP; eth0; 43 bytes; from 192.168.0.211:57541
to 74.66.226.117:53

There is just millions of these. In VIM you have to hit CTR-F for a
while just to get to the next second!

Do you think I have buggy DNS? Doesn't seem like this would be some type
of malicious software doing this, as what would be the point? Any other
guesses?

I guess I could simply turn off the DNS client locally? I'm not positive
if this is the only IP it hits, so I don't know that blocking the IP
outbound would make a difference.

Thanks for any suggestions you can offer.

Max


More information about the MailScanner mailing list