2 Replies Latest reply on Jul 5, 2018 12:52 PM by david131415

    IAD send flood of DNS traffic sourced from port 9999

    david131415 New Member

      I've got a few IADs that are sourcing DNS traffic at the rate of hundreds of packets per second.  They are looking up appropriate names, but at an insane rate.

       

      Anyone seen anything like this?

       

      David

        • Re: IAD send flood of DNS traffic sourced from port 9999
          packetvoice New Member

          It's been a few years since I have touched AOS, but when I had seen symptoms like that in the past, it was because the IPBG was proxying DNS requests from somewhere else (typically a DoS attack). Try disabling DNS proxy:

           

          (config)#no dns-proxy

            • Re: IAD send flood of DNS traffic sourced from port 9999
              david131415 New Member

              Thanks for the input!

               

              It wasn't trying to resolve random/evil names like a compromised system would do.  The thing was trying to resolve the small handful of internal names that that it needs for our internal SIP system.  I say "trying" because the response packets were being dropped on their way back to the box.

               

              If it fails to resolve a name of a SIP server that it needs, what could make it retry hundreds of times per second?  Seriously, I logged three queries in the same millisecond.  Good for load testing, bad for my pacemaker.

               

              It was rebooted, it selected  a different source port for DNS queries, and everything was fine.

               

              The number 9999 is probably meaningful, maybe as a magic number or as the last port available before you hit 10,000.

               

              Cheers,

               

              David