cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
david131415
New Contributor

IAD send flood of DNS traffic sourced from port 9999

I've got a few IADs that are sourcing DNS traffic at the rate of hundreds of packets per second.  They are looking up appropriate names, but at an insane rate.

Anyone seen anything like this?

David

Tags (5)
0 Kudos
2 Replies

Re: IAD send flood of DNS traffic sourced from port 9999

It's been a few years since I have touched AOS, but when I had seen symptoms like that in the past, it was because the IPBG was proxying DNS requests from somewhere else (typically a DoS attack). Try disabling DNS proxy:

(config)#no dns-proxy

Re: IAD send flood of DNS traffic sourced from port 9999

Thanks for the input!

It wasn't trying to resolve random/evil names like a compromised system would do.  The thing was trying to resolve the small handful of internal names that that it needs for our internal SIP system.  I say "trying" because the response packets were being dropped on their way back to the box.

If it fails to resolve a name of a SIP server that it needs, what could make it retry hundreds of times per second?  Seriously, I logged three queries in the same millisecond.  Good for load testing, bad for my pacemaker.

It was rebooted, it selected  a different source port for DNS queries, and everything was fine.

The number 9999 is probably meaningful, maybe as a magic number or as the last port available before you hit 10,000.

Cheers,

David