On Sep 9, 2011 10:28 PM, "TMK" <eng...@gmail.com> wrote: > > On 09.09.11 19:31, TMK wrote: >We have find the reason why our network analyzer report that bind is >responding to a.root-server.net in 30 sec. > > does your server respond to a.root-servers.net, or does > a.root-servers.netrespond to your BIND?
A.root-server.net is query being sent from some of our clients. > > >Cause all the packets are having the same source port and the same >identification I'd which makes it impossible for it to determine the >query/response pairs. > > who is sending those packets? Is that your BIND? > Like I said it is being send from some infected customers to our cache dns > >Just one question why doesn't the bind drop such packets. > > apparently it does and that's why it's so slow... No it doesn't the capture shows it has responded to every and packet of those but dut to having the same source ports and the identification I'd the traffic analyzer is unable to correctly link the requests with the replies. All those packets are from source port 3037 > > --Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... All
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
