Interesting Traces - DNS query storm

This trace was taken with packet_monitor on a Stratus VOS operating system. Basically what happens is you start packet_monitor (it doesn't matter if you are using TCP_OS or STCP) and pretty much the only thing you see is DNS queries and responses. There are two keys to this. First, the VOS operating system does not cache names, that is for very name referenced it has to query the DNS. So far this has not created a problem for anyone. The second key is that packet_monitor was started without the -numeric argument. this means that it tries to resolve the IP addresses in the packets to names. Since every IP packet has two IP addresses it will generate 2 DNS queries, which creates 2 packets which when they get displayed generate 2 DNS queries, etc. It is a positive feedback loop and the result is that pretty much the only thing you see in the trace is DNS packets.

The solution to this problem is to either start packet_monitor with the -numeric argument (which is something that I always suggest) or set up a filter so that DNS packets are not displayed.

packet_monitor
dir                                                 icmp type           tcp
   len proto source             destination         src port  dst port  type
R    246 UDP  WS1                 172.18.100.255      138       138       226
T     73 UDP  Server1             DNS1                1073      domain    53
R    153 UDP  DNS1                Server1             domain    1073      133
T     73 UDP  Server1             DNS1                1074      domain    53
R    244 UDP  DNS1                Server1             domain    1074      224
T     73 UDP  Server1             DNS1                1075      domain    53
R    250 UDP  DNS1                Server1             domain    1075      230
R    248 UDP  WS2                 172.18.100.255      138       138       228
T     73 UDP  Server1             DNS1                1076      domain    53
R    133 UDP  DNS1                Server1             domain    1076      113
T     72 UDP  Server1             DNS1                1077      domain    52
R    243 UDP  DNS1                Server1             domain    1077      223
R ARP Req Target Server2         Src  Server3         [00:d0:b7:9e:d0:39]
T     73 UDP  Server1             DNS1                1078      domain    53
R    249 UDP  DNS1                Server1             domain    1078      229
T     73 UDP  Server1             DNS1                1079      domain    53
R    247 UDP  DNS1                Server1             domain    1079      227
R     28 IGMP 172.18.100.2        ALL-SYSTEMS.MCAST.N
T     68 UDP  Server1             DNS1                1080      domain    48
R    268 UDP  DNS1                Server1             domain    1080      248
T     71 UDP  Server1             DNS1                1081      domain    51
R    151 UDP  DNS1                Server1             domain    1081      131
R ARP Req Target WS4             Src  Server6         [00:90:27:28:3d:c4]
T     73 UDP  Server1             DNS1                1082      domain    53
R    243 UDP  DNS1                Server1             domain    1082      223
T     71 UDP  Server1             DNS1                1083      domain    51
R    241 UDP  DNS1                Server1             domain    1083      221
R     78 UDP  172.16.1.103        172.16.1.255        137       137       58
T     71 UDP  Server1             DNS1                1084      domain    51
R    148 UDP  DNS1                Server1             domain    1084      128
T     71 UDP  Server1             DNS1                1085      domain    51
R    148 UDP  DNS1                Server1             domain    1085      128
T     72 UDP  Server1             DNS1                1086      domain    52
R    246 UDP  DNS1                Server1             domain    1086      226
T     72 UDP  Server1             DNS1                1087      domain    52
R    246 UDP  DNS1                Server1             domain    1087      226
T     72 UDP  Server1             DNS1                1088      domain    52
R    110 UDP  DNS1                Server1             domain    1088      90
R     78 UDP  172.16.1.103        172.16.1.255        137       137       58
T     71 UDP  Server1             DNS1                1089      domain    51
R    148 UDP  DNS1                Server1             domain    1089      128
T     71 UDP  Server1             DNS1                1090      domain    51
R    148 UDP  DNS1                Server1             domain    1090      128
R     78 UDP  172.16.1.103        172.16.1.255        137       137       58
T     71 UDP  Server1             DNS1                1091      domain    51
R     78 UDP  10.1.1.103          10.1.1.255          137       137       58
R    148 UDP  DNS1                Server1             domain    1091      128
R     78 UDP  10.1.1.103          10.1.1.255          137       137       58
T     71 UDP  Server1             DNS1                1092      domain    51
R    148 UDP  DNS1                Server1             domain    1092      128
T     69 UDP  Server1             DNS1                1093      domain    49
R    146 UDP  DNS1                Server1             domain    1093      126
T     69 UDP  Server1             DNS1                1094      domain    49
R    146 UDP  DNS1                Server1             domain    1094      126
T     69 UDP  Server1             DNS1                1095      domain    49
R    146 UDP  DNS1                Server1             domain    1095      126
T     69 UDP  Server1             DNS1                1096      domain    49
R    146 UDP  DNS1                Server1             domain    1096      126
R     78 UDP  10.1.1.103          10.1.1.255          137       137       58
T     69 UDP  Server1             DNS1                1097      domain    49
R    146 UDP  DNS1                Server1             domain    1097      126
T     69 UDP  Server1             DNS1                1098      domain    49
R    146 UDP  DNS1                Server1             domain    1098      126

This page was last modified on 03-08-28

Send comments and suggestions
to ndav1@cox.net