DNS query saturating T1

Gottschalk, David dgottsc at emory.edu
Fri Oct 16 19:47:07 IST 2009 

Is your local caching DNS server also being used by clients on the local network, or just the MailScanner server?

David Gottschalk
Emory University
UTS Messaging Team

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Max Kipness
Sent: Friday, October 16, 2009 2:42 PM
To: MailScanner discussion
Subject: DNS query saturating T1

This is the strangest thing I've ever seen and just wondering if anyone
has seen this before.

I'm using MailScanner (was the latest 3 months ago) on Fedora 11 using
DNS locally for queries to speed up resolution. The last few weeks, our
T1 has gone down several times and the provider reported that traffic
from inside was causing saturation. They really couldn't, or didn't want
to tell us what system or what port. So I narrowed it down to the
MailScanner server. When the problem would occur you could see the light
blinking or almost solid on the switch port. We simply disconnect and
everything was fine. So I started looking at possible overload of spam,
or virus/Trojan on the server, etc. Nothing on the logs  looked unusual,
so we would plug it back and everything would be fine for a few days.
Then it would happen again. So I installed iptraf, and put in logging
mode and left it there. Well it happened yesterday again, and after
looking over the logs, it appears like the following log entry is the
problem:

Thu Oct 15 12:00:06 2009; UDP; eth0; 43 bytes; from 192.168.0.211:57541
to 74.66.226.117:53

There is just millions of these. In VIM you have to hit CTR-F for a
while just to get to the next second!

Do you think I have buggy DNS? Doesn't seem like this would be some type
of malicious software doing this, as what would be the point? Any other
guesses?

I guess I could simply turn off the DNS client locally? I'm not positive
if this is the only IP it hits, so I don't know that blocking the IP
outbound would make a difference.

Thanks for any suggestions you can offer.

Max
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information.  If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

More information about the MailScanner mailing list