DNS query saturating T1
dgottsc at emory.edu
Fri Oct 16 19:47:07 IST 2009
Is your local caching DNS server also being used by clients on the local network, or just the MailScanner server?
UTS Messaging Team
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Max Kipness
Sent: Friday, October 16, 2009 2:42 PM
To: MailScanner discussion
Subject: DNS query saturating T1
This is the strangest thing I've ever seen and just wondering if anyone
has seen this before.
I'm using MailScanner (was the latest 3 months ago) on Fedora 11 using
DNS locally for queries to speed up resolution. The last few weeks, our
T1 has gone down several times and the provider reported that traffic
from inside was causing saturation. They really couldn't, or didn't want
to tell us what system or what port. So I narrowed it down to the
MailScanner server. When the problem would occur you could see the light
blinking or almost solid on the switch port. We simply disconnect and
everything was fine. So I started looking at possible overload of spam,
or virus/Trojan on the server, etc. Nothing on the logs looked unusual,
so we would plug it back and everything would be fine for a few days.
Then it would happen again. So I installed iptraf, and put in logging
mode and left it there. Well it happened yesterday again, and after
looking over the logs, it appears like the following log entry is the
Thu Oct 15 12:00:06 2009; UDP; eth0; 43 bytes; from 192.168.0.211:57541
There is just millions of these. In VIM you have to hit CTR-F for a
while just to get to the next second!
Do you think I have buggy DNS? Doesn't seem like this would be some type
of malicious software doing this, as what would be the point? Any other
I guess I could simply turn off the DNS client locally? I'm not positive
if this is the only IP it hits, so I don't know that blocking the IP
outbound would make a difference.
Thanks for any suggestions you can offer.
MailScanner mailing list
mailscanner at lists.mailscanner.info
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
More information about the MailScanner