DNS query saturating T1

[Charles Lacroix]

Howmany RBL are you checking?
and are you checking them with your MTA and MailScanner ?

Is your caching nameserver actually caching ?


Max Kipness wrote:
> This is the strangest thing I've ever seen and just wondering if anyone
> has seen this before.
>
> I'm using MailScanner (was the latest 3 months ago) on Fedora 11 using
> DNS locally for queries to speed up resolution. The last few weeks, our
> T1 has gone down several times and the provider reported that traffic
> from inside was causing saturation. They really couldn't, or didn't want
> to tell us what system or what port. So I narrowed it down to the
> MailScanner server. When the problem would occur you could see the light
> blinking or almost solid on the switch port. We simply disconnect and
> everything was fine. So I started looking at possible overload of spam,
> or virus/Trojan on the server, etc. Nothing on the logs  looked unusual,
> so we would plug it back and everything would be fine for a few days.
> Then it would happen again. So I installed iptraf, and put in logging
> mode and left it there. Well it happened yesterday again, and after
> looking over the logs, it appears like the following log entry is the
> problem:
>
> Thu Oct 15 12:00:06 2009; UDP; eth0; 43 bytes; from 192.168.0.211:57541
> to 74.66.226.117:53
>
> There is just millions of these. In VIM you have to hit CTR-F for a
> while just to get to the next second!
>
> Do you think I have buggy DNS? Doesn't seem like this would be some type
> of malicious software doing this, as what would be the point? Any other
> guesses?
>
> I guess I could simply turn off the DNS client locally? I'm not positive
> if this is the only IP it hits, so I don't know that blocking the IP
> outbound would make a difference.
>
> Thanks for any suggestions you can offer.
>
> Max
>