Unusual DNS patternd
At the start of November this year we moved to a DNS service called Neustar/UltraDNS to add the ability to do load balancing and link failover for our websites as well as host our DNS records. Prior to this our DNS had been hosted with our ISP which provided no additional service other than name resolutions.
The first 3 weeks on the product have been great. However starting on Thanksgiving day and continuing to now we have had a flood of DNS queries against the service from foreign entities. This has pushed us above our contracted service level which adds expense. Since we didn’t have any sort of reporting prior to this product I am having a hard time determining what is normal and how we should respond to it. Our query volume has went up nearly 50x what it was prior to Thanksgiving day. We have not made changes our sites or infrastructure or site during this time. The majority of the DNS requests are coming from Saudi Arabia but also a wide range of other countries. We are a small regional firm that has no international exposure or client base outside of a two state radius in the US.
Since we have never needed to manage outside DNS in the past are there things we should be doing to guard against this or are there items we should be asking our DNS provider to do? They are saying this traffic does not appear to be a DNS attack, but they also get revenue based on query volume so I am looking for outside ideas. They have instructed us to lower the TTL on our domain names as well as contact our ISPs to put blocks on the IPs from the top foreign IPs hitting our domains.
The first 3 weeks on the product have been great. However starting on Thanksgiving day and continuing to now we have had a flood of DNS queries against the service from foreign entities. This has pushed us above our contracted service level which adds expense. Since we didn’t have any sort of reporting prior to this product I am having a hard time determining what is normal and how we should respond to it. Our query volume has went up nearly 50x what it was prior to Thanksgiving day. We have not made changes our sites or infrastructure or site during this time. The majority of the DNS requests are coming from Saudi Arabia but also a wide range of other countries. We are a small regional firm that has no international exposure or client base outside of a two state radius in the US.
Since we have never needed to manage outside DNS in the past are there things we should be doing to guard against this or are there items we should be asking our DNS provider to do? They are saying this traffic does not appear to be a DNS attack, but they also get revenue based on query volume so I am looking for outside ideas. They have instructed us to lower the TTL on our domain names as well as contact our ISPs to put blocks on the IPs from the top foreign IPs hitting our domains.
Check out http://www.dns-info.cz/en/dns-test/ and look for "recursive queries" in the results.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I attached a document with some of the reporting we have showing the top hits on our DNS. You can see the massive jump starting Thanksgiving day from Saudi Arabia. This has continued to grow. We operate in a two state region in the mid-west so I am trying to figure out how to kill off this traffic as it is definitly not part of our business. DNS.docx
Are the incoming queries for your domain only or do they appear to just be random? Make sure the DNS server(s) do not allow public recursion (ie: only respond to requests for zones it hosts).