[dnsdist] Cache, chrome and dns tunneling

Daniel Stirnimann daniel.stirnimann at switch.ch
Sun May 6 18:36:37 UTC 2018

On 05.05.18 12:40, Ask Bjørn Hansen wrote:
>> On May 3, 2018, at 17:25, Nico <nicomail at gmail.com> wrote:
>> After some tcpdumping and testing we found that chrome and dns tunneling were filing the cache,
>> even if the percent of this queries was very low in the total.
> What do those queries look like?

For the chrome part, I guess he is talking about queries like these from
Android mobile devices using Google Chrome:

xmbltwvfgzoj AAAA
oputhfmeqha AAAA
fpxfkjurisphngo AAAA
oputhfmeqha A
fpxfkjurisphngo A
xmbltwvfgzoj A

I noticed this too a few weeks ago when playing with an Android
Emulator. I did not look into this more and cannot tell at what interval
they appear exactly. They seem to appear at least every time I started
Google Chrome. The queries are random. Next time they are completely
different but of the same length and same query character set.

The response is of course NXDOMAIN. Negative caching TTL for the root
zone is 1 day.

I guess most DNS resolver software limit the negative caching TTL to
something a fair bit lower. I just looked it up for PowerDNS recursor
and it is set to max 3600 sec:

Maybe the problem is that dnsdist has no max negative ttl limit?


More information about the dnsdist mailing list