Link to home
Start Free TrialLog in
Avatar of bergertime
bergertime

asked on

External DNS overload

I've used DYNDNS for our external DNS for several years.  We've been on the 5 qps the whole time.  It has suddenly shot up to over 200 qps in the last two months.  I had them run a report which shows the traffic coming from google addresses, DYNDNS says it is email related.  Nothing on my end has changed.  Any suggestions what I should look for?  It's going to raise my rates from 50/month to 2000/month.  We host our email with Office 365.  Any ideas?
SOLUTION
Avatar of Mohammed Khawaja
Mohammed Khawaja
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I would assume that if they say it is related to e-mail that the DNS lookups are for you MX record and then the host name that your MX record points to.  

I would then further assume that the amount of e-mail you are getting has drastically increased.

I an assuming that "qps" is queries (lookups) per second.  If so 200 qps is a LOT of queries, that 720,000 queries an hour.

You could look at other DNS hosting services.  Heck I'm pretty sure you could host your own DNS server in a colo for less that $2,000 per month.
Avatar of bergertime
bergertime

ASKER

All the traffic is for txt record.  I've been under 5qps for 10 years, and then al the sudden over 200 qps.  I've gone from $50/month to an overage bill of $15000 plus updating our service to $2000/month.  How could it jump like that and why would it be requesting our txt record?

Thanks
Did you just start using Office 365?  It looks like Office 365 does a look up when you SEND e-mail to verify that you own the domain name you are sending from.  It uses either TXT or MX records to verify you own your domain.

If you just started using Office 365, that is the reason for the increase.

Based the $$'s you are quoting you can setup your own hosts for a LOT less.  

Heck some companies that provide Domain name registration services free DNS.  A organization I volunteer for uses iPage, we use then for domain name registration and web hosting.  We don't really use their web hosting, but it comes with free e-mail.  We get free DNS hosting and I think total we pay about $300 a year, that is for 9 domain names and the web hosting services.  That I am aware of there is no limit on the number of DNS lookups.

You may want to check with your ISP, some ISP offer free DNS hosting.  The company I work for uses AT&T as our ISP and they offer free DNS hosting.
Good advice.  We've used Office 365 for a couple of years.  I'll leave this question open for a couple of more days for any other comments, then award points.  Thanks
Look at https://freedns.afraid.org/ as I know few people who are using it.  It is very affordable and robust.
my biggest concern was that we went from averaging 5 qps to 200 qps, in just over a month.  Nothing has changed on my end.  It looks like 99.5 percent is email coming from google.  Just seemed odd.
Unless you can tell from logs, I would talk to your employees to see if the e-mail from from gmail is valid.

Let's say there is 2 DNS queries per e-mail, that 100 e-mails per second.

I'll need to do some more reading.   As I thought about it more there should be no reason for somebody sending an e-mail to do a DNS lookup of any TXT records.  The looks up for a SPF TXT record is done when you send e-mail to somebody else, so unless you are sending a ton of e-mail to gmail, or Google hosted e-mail, there should be no reason for Google to be doing TXT record look ups.

I think even the Office365 info posted by Mohammed Khawaja is for when you are sending e-mail, not for when you are receiving e-mail.
I certainly wouldn't expect using Office 365 to have any effect on your DNS queries.  Unless you're receiving a lot more web traffic or email, I'm more likely to suspect malicious intent (such as DoS).  I don't think we had any increase in DNS queries when we moved to Office 365.  I've never had to deal with anything like this, but I would think Dyn would be in the best position to help you out.  If all the queries are for your TXT records, what records do you have?  An SPF would be the most common.  An SPF record can have an "include" section which references another domain.  But I know of no way to find out what other domain could have a SPF record which has an include for your domain.  If the traffic is coming from Google IPs, maybe Google could help you out.
I went back and read the stuff that Mohammed Khawaja posted about TXT records for Office 365.  That is only required when you are first setting up your Office 365 account.  They use either the TXT record (preferred) or MX record to verify you own your domain.

I agree with footech; check to see if you are receiving a TON more e-mail, get the logs from DynDNS to see exactly what type of quiries are coming in and for what record types and names.  If they are truly from Google, get Google involved.
Thanks, we have a SPF record.  But not much traffic on it.  All the traffic is for txt records. Who would I even try and contact at google?  The traffic does seem to spike.
Get the IP address(es) that are queering the TXT records.
Then do a whois for the address(es) and contact either the tech contact or their "abuse@".  

Tell them that your DNS server is getting hammered (200 queries per second) from them and you want to know why.
Although there is a actual SPF record type, my understanding is that this is rarely used.  More often the SPF record is a TXT type.  From prior posts, it was my thought that it was this record which was being queried.
Very few hits on the SPF, 99.9 are on the txt record.  Dyndns says this indicates email traffic.  I'm waiting on them to tell me if it looks like inbound or outbound traffic.
TXT record for what?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks, my qps seems to have returned to normal, less than 0.01.  Maybe we were under some kind of spam attack or something.  Who knows.
No love for me...  :(
Oh, I'm sorry.  I was in a rush.  I should have split it between all of you.  Can I redo it?
If you ever need to re-open a question in order to reassign points, etc., then you have to request attention to the question (using the link right below your question) so a Moderator can re-open it.

It's always nice to be recognized for any contribution of value, but I won't pressure you to do anything further.