Page 1 of 1
Abnormal amount of DNS lookups.
Posted: Mon Oct 09, 2017 1:30 pm
by NetNeutron
- Linux Distribution and version? Red Hat Enterprise Linux Server release 6.8 (Santiago)
32 or 64bit? 64 bit
VMware Image or Manual Install of XI? Manual Install
Are there special configurations on your system? No
Gnome installed? No
Are you using a proxy? No
Are you using SSL? No
Our DNS team is seeing 2 million+ DNS requests coming from our NagiosXI server.
I did a packet capture of port 53 and at a quick glance I see alot of AAAA requests and queries for things like
hostname.domain.domain example support.nagios.com.nagios.com
What is NagiosXI doing so many DNS queries ? Why AAAA ? Why double domain ?
G.
Re: Abnormal amount of DNS lookups.
Posted: Mon Oct 09, 2017 2:21 pm
by scottwilkerson
NetNeutron wrote:Our DNS team is seeing 2 million+ DNS requests coming from our NagiosXI server.
This sounds like a lot, but 2 million in what time frame?
For the domains it is doing the bult of the lookups on, what is the TTL for the requests?
The AAAA requests is the plugins checking for IPv6 records.
depending on the types of checks, some of them do have options to force the type of check, for example, the check_dns plugin, you could force it to only look for A records by adding the
-q A flag
Code: Select all
/usr/local/nagios/libexec/check_dns -h
check_dns v2.2.1 (nagios-plugins 2.2.1)
Copyright (c) 1999 Ethan Galstad <[email protected]>
Copyright (c) 2000-2014 Nagios Plugin Development Team
<[email protected]>
This plugin uses the nslookup program to obtain the IP address for the given host/domain query.
An optional DNS server to use may be specified.
If no DNS server is specified, the default server(s) specified in /etc/resolv.conf will be used.
Usage:
check_dns -H host [-s server] [-q type ] [-a expected-address] [-A] [-n] [-t timeout] [-w warn] [-c crit]
Options:
-h, --help
Print detailed help screen
-V, --version
Print version information
--extra-opts=[section][@file]
Read options from an ini file. See
https://www.nagios-plugins.org/doc/extra-opts.html
for usage and examples.
-H, --hostname=HOST
The name or address you want to query
-s, --server=HOST
Optional DNS server you want to use for the lookup
-q, --querytype=TYPE
Optional DNS record query type where TYPE =(A, AAAA, SRV, TXT, MX, ANY)
The default query type is 'A' (IPv4 host entry)
-a, --expected-address=IP-ADDRESS|HOST
Optional IP-ADDRESS you expect the DNS server to return. HOST must end with
a dot (.). This option can be repeated multiple times (Returns OK if any
value match). If multiple addresses are returned at once, you have to match
the whole string of addresses separated with commas (sorted alphabetically).
If you would like to test for the presence of a cname, combine with -n param.
-A, --expect-authority
Optionally expect the DNS server to be authoritative for the lookup
-n, --accept-cname
Optionally accept cname responses as a valid result to a query
The default is to ignore cname responses as part of the result
-w, --warning=seconds
Return warning if elapsed time exceeds value. Default off
-c, --critical=seconds
Return critical if elapsed time exceeds value. Default off
-t, --timeout=INTEGER:<timeout state>
Seconds before connection times out (default: 10)
Optional ":<timeout state>" can be a state integer (0,1,2,3) or a state STRING
Re: Abnormal amount of DNS lookups.
Posted: Mon Oct 09, 2017 3:02 pm
by NetNeutron
Hello Scott,
Its 2mil per day.
I just examined the TTL in the responses and they vary from 9 to 900.
G
Re: Abnormal amount of DNS lookups.
Posted: Mon Oct 09, 2017 4:40 pm
by scottwilkerson
NetNeutron wrote:Hello Scott,
Its 2mil per day.
I just examined the TTL in the responses and they vary from 9 to 900.
G
As the TTL is in seconds, these are extremely low, and will require a lookup every time a check is performed where a hostname needs to be translated to an IP address. If they do not change frequently, increasing the TTL to a higher timeframe would reduce this dramatically, e.g. 86400 to refresh daily.
Re: Abnormal amount of DNS lookups.
Posted: Tue Oct 10, 2017 5:44 am
by NetNeutron
Okay I can check into that.
I don't believe we use check_dns at all.
Does NagiosXI lookup AAAA by default setting somewhere ?
G.
Re: Abnormal amount of DNS lookups.
Posted: Tue Oct 10, 2017 9:06 am
by scottwilkerson
NetNeutron wrote:
Does NagiosXI lookup AAAA by default setting somewhere ?
Everywhere it has to lookup a hostname and convert it to an IP.
If you do not have IPv6 at all on your system, it wouldn't try to do the lookups if IPv6 was disabled on the XI server.
https://serverfault.com/questions/63266 ... aa-lookups