[Japanese]

JVNDB-2004-000594

DNS cache servers resource consumption by TCP SYN_SENT states

Overview

DNS cache servers consume huge resources for communication with DNS authoritative servers in the following situation.
(1) a user sends a query to the DNS cache server
(2) the DNS cache server sends a UDP query to an authoritative server
(3) when the authoritative server finds that the reply content is too large, it sends back the reply packet to the DNS cache server with the TC bit on
(4) the DNS cache server re-sends a query by TCP
(5) when the authoritative server does not reply to the TCP query, or 53/tcp destined packets are dropped, the DNS cache server holds the socket in the SYN_SENT state for a certain period of time
(6) a huge number of transactions in steps (1)-(5) take place in a short period of time

Affected products are DNS servers with the network configuration described as above.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.0 (Medium) [NVD Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
Affected Products


(Multiple Venders)
  • (Multiple Products) DNS cache server

Impact

The DNS cache server suffers TCP state table overflow when it makes the huge number of TCP queries to certain authoritative servers, where 53/tcp packets are dropped or the authoritative server does not reply to TCP queries.
Solution

Vendor Information

CWE (What is CWE?)

CVE (What is CVE?)

References

  1. JVN : JVN#61857DA9
  2. NANOG : NANOG Abstract
  3. NANOG : NANOG PDF presentation
Revision History

  • [2008/05/21]
      Web page published

Date Public2004/10/20
Date First Published2008/05/21
Date Last Updated2008/05/21