|
[Japanese]
|
JVNDB-2004-000594
|
DNS cache servers resource consumption by TCP SYN_SENT states
|
|
DNS cache servers consume huge resources for communication with DNS authoritative servers in the following situation.
(1) a user sends a query to the DNS cache server
(2) the DNS cache server sends a UDP query to an authoritative server
(3) when the authoritative server finds that the reply content is too large, it sends back the reply packet to the DNS cache server with the TC bit on
(4) the DNS cache server re-sends a query by TCP
(5) when the authoritative server does not reply to the TCP query, or 53/tcp destined packets are dropped, the DNS cache server holds the socket in the SYN_SENT state for a certain period of time
(6) a huge number of transactions in steps (1)-(5) take place in a short period of time
Affected products are DNS servers with the network configuration described as above.
|
|
Base Metrics:
5.0 (Medium)
[NVD Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Partial
|
|
|
|
Multiple Venders
- Multiple Products DNS cache server
|
|
|
The DNS cache server suffers TCP state table overflow when it makes the huge number of TCP queries to certain authoritative servers, where 53/tcp packets are dropped or the authoritative server does not reply to TCP queries.
|
|
|
|
|
|
|
|
|
|
- JVN : JVN#61857DA9
- NANOG : NANOG Abstract
- NANOG : NANOG PDF presentation
|
|
[2008/05/21]
Web page published
|
