We help IT Professionals succeed at work.

Unusual DNS patternd

Blink1976 asked
At the start of November this year we moved to a DNS service called Neustar/UltraDNS to add the ability to do load balancing and link failover for our websites as well as host our DNS records.  Prior to this our DNS had been hosted with our ISP which provided no additional service other than name resolutions.
The first 3 weeks on the product have been great. However starting on Thanksgiving day and continuing to now we have had a flood of DNS queries against the service from foreign entities.  This has pushed us above our contracted service level which adds expense.  Since we didn’t have any sort of reporting prior to this product I am having a hard time determining what is normal and how we should respond to it.  Our query volume has went up nearly 50x what it was prior to Thanksgiving day.  We have not made changes our sites or infrastructure or site during this time.  The majority of the DNS requests are coming from Saudi Arabia but also a wide range of other countries.  We are a small regional firm that has no international exposure or client base outside of a two state radius in the US.  
Since we have never needed to manage outside DNS in the past are there things we should be doing to guard against this or are there  items we should be asking our DNS provider to do?  They are saying this traffic does not appear to be a DNS attack, but they also get revenue based on query volume so I am looking for outside ideas.  They have instructed us to lower the TTL on our domain names as well as contact our ISPs to put blocks on the IPs from the top foreign IPs hitting our domains.
Watch Question

Top Expert 2011

Lowering the TTL is the last thing you would want to do in this situation.

Are the incoming queries for your domain only or do they appear to just be random?  Make sure the DNS server(s) do not allow public recursion (ie: only respond to requests for zones it hosts).
Top Expert 2011

Check out http://www.dns-info.cz/en/dns-test/ and look for "recursive queries" in the results.
Top Expert 2011
Also check out http://intodns.com -- I prefer that tool as opposed to the other one I linked, it just slipped my mind.
First, i assume it is not their own service monitoring your server status for auto-failover.

Second, do you know if the foreign hosts are making calls to your website or just querying the dns record? You can view web server logs for host headers and what the request is. (e.g. if you notice weird attack request URLs for example injections or directory traversal you know its an attempt to exploit the site)

Third, double check you aren't hosting any kind of 'homing beacon' or control module that are used to control botnets. If someone infected one or more of your server with a botnet controller, this excess traffic could be infected computers calling to check in to the server.


I attached a document with some of the reporting we have showing the top hits on our DNS.  You can see the massive jump starting Thanksgiving day from Saudi Arabia.  This has continued to grow.  We operate in a two state region in the mid-west so I am trying to figure out how to kill off this traffic as it is definitly not part of our business. DNS.docx