4. DNS Forwarding overload

DNS Forwarding overload

  • P

    I am running Pfsense:

    2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:22 EDT 2013
    FreeBSD 8.3-RELEASE-p11
    You are on the latest version.

    on an older Dell poweredge 2850. 4 Gigs of Ram and plenty of HD space (got to love e-bay) 2 Satellites run in and one lan. I have it set to load balance with both gateways in a group called load balance_GW Evidently I have some error as our provider says we are getting DNC requests from one of the Sats at like 200 per second. Here is her e-mail to me. I am not exactly sure what to do and how to re-configure. If I disable the DNS forwarder will it shutdown things inside?

    Packages installed

    Squid
    Sarg
    Lightsquid

    OK – I poked around a bit on this today.  The good news is that I'm not seeing any evidence of a virus or DNS attack. All the requests seem to be coming from your network. I did find a few interesting things.

    The load balancer seems to be acting itself as a DNS cache, and also  only using TAP 66 right now for DNS lookups.  What we are seeing is two requests for every domain name looked up.  It may be that since it has two interfaces (TAP 48 and TAP 66) when it gets a DNS request it wants to send it out both interfaces to see which one responds fastest.  That's all well and good but both of those requests seem to be coming from the router 217.aaa.bbb.ddd IP which is the interface on TAP 66's network. I ran a tcpdump on TAP 48 and also reviewed our packet analyzer and there are essentially no DNS requests coming in from anything else on TAP 48.

    Something else might be going on at this moment with your LAN connection to TAP 48 -- the router IP at 217.aaa.bbb.ccc has been intermittently not responding -- a few seconds ago I was unable to ping it

    defs-xxxxx-yyy-zzz-48:/var/run# arp -a ccc-bbb-aaa-217.ip.eu.tachyon.net (217.aaa.bbb.ccc) at <incomplete>on eth0

    defs-xxxxx-yyy-zzz-48:/var/run# ping
    PING 217.aaa.bbb.ccc (217.aaa.bbb.ccc) 56(84) bytes of data.
    From 217.aaa.bbb.ccc icmp_seq=1 Destination Host Unreachable
    From 217.aaa.bbb.ccc icmp_seq=3 Destination Host Unreachable
    From 217.aaa.bbb.ccc icmp_seq=4 Destination Host Unreachable

    That's recent behavior though -- about 30 minutes ago I was running a tcpdump and was seeing normal traffic.

    Back to the load balancer. Your load balancer seems to be itself acting as a DNS cache.  This is probably a configurable setting on it-- you can set it up to be a DNS cache or to just pass along DNS requests without caching.  We'd like to have you try changing it so that it is just passing the requests to the modem.  The modem may not be any better at it than your cache, but there seems to be some misconfiguration that is causing it to double-up on requests so disabling that would probably make things better for the time being.  This will also help by halving the number of requests, which will keep it from cache to flush (roll over due to being full) as often and will make it more useful.

    Can you take a look again at how it is configured?

    I will re-enable the transparent DNS cache for now since it is not having a negative impact and may be helping a little bit.  I'll reboot the terminal in a little while--looks like TAP 48 (on the LAN side) is not happy so I don't want to take 66 down right now.

    --Linda</incomplete>

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy