Title: RE: Ethereal DNS Traffic Storm - Clarified Post
Clarified Post:
The users impacted by this DNS issue were using default Ethereal settings. That is, MAC name resolution, transport name resolution and concurrent DNS name resolution (maximum concurrent requests = 500) were enabled. Network layer name resolution was not enabled. This issue seems to occur during the display of data, not during the capture of data. We estimate that the trace contained hundreds of unique IP addresses, but there were not "hundreds of thousands". The Ethereal client did have 5 configured DNS servers. Of these, 3 were dynamically learned via DHCP and 2 were hard coded.
This is not normal DNS traffic. Consider that the rate is 1000+ frames per second, and that this traffic is going to all configured DNS servers simultaneously. In addition, these are not the expected DNS queries carried by UDP. These are TCP SYN frames to port 53. When the DNS server responds with a SYN ACK, the Ethereal client aborts the connection attempt with a TCP RESET. This traffic is continuous until Ethereal is aborted, and no DNS information is gained, since 100% of these port 53 connection attempts are unsuccessful. In one case, an impacted user left their machine running in this state for 3 hours and this high rate of DNS traffic was constant for the entire time. We have observed that this condition occurs during display and not capture, and that it will push the client CPU to 100%. We believe that this is some type of bug, and not normal DNS traffic. This condition only occurs when Ethereal is used, and of course only if DNS lookups are enabled. However, we would like to get this corrected, so that DNS lookups can be used.
We were not able to find the ADNS library in ethereal source code package. If the problem is with ADNS and not Ethereal itself, how do we proceed to get this corrected?
Response From List:
If you go to Edit->Preferences->Name Resolution, is network name resolution enabled, and if so is concurrent DNS name resolution enabled? Are there hundreds of thousands of unique IP addresses in the traffic that you're capturing? If so, then this behavior is expected.
By default, Ethereal tries to resolve any IP addresses that it finds. If you're capturing a lot of unique IP addresses, then Ethereal will correspondingly generate a lot of DNS queries. It keeps a local cache of host names, so each address should only be queried once per capture session. I'm not sure what to make of the TCP connection attempts. We're using the ADNS library for concurrent name resolution; it sounds like it may have a bug. ADNS uses the host's default name servers for resolution. Do you have all five DNS servers configured on your system?
You can disable network name resolution from the Preferences dialog above, or by selecting View->Name Resolution->Enable for Network Layer.
Original Post:
We are seeing occasional DNS traffic storms that have been isolated to Ethereal. We have confirmed cases with versions 0.9.14 and 0.9.15. Unfortunately, we were also able to reproduce this issue with the current version of 0.10.2. The impacted devices were running Windows operating systems, but we do not know if that is a criteria. We did several searches of the Ethereal mailing lists, but could not find any current reference to this issue. We did find some hits talking about a DNS loop, but it seemed to be referring to DNS packet decodes not DNS name resolution of devices in the trace. In addition, it appeared to have already been corrected.
We have seen as high as 1,132 frames-per-second of DNS related traffic from a single Ethereal client. We were able to capture a sample trace of an Ethereal DNS traffic storm. There were a total of 547,226 frames of DNS related traffic in ~8 minutes. This was ~36 Meg of network traffic, with an overall average rate of 1,132 packets-per-second. In summary, the Ethereal client PC sent a total of 250,461 DNS connection attempts (TCP port 53) to 5 different DNS servers in ~8 minutes. There were ~50K connection attempts per DNS server in this sample trace. This traffic continued until the Ethereal application was aborted. The 3 valid DNS servers each answered as expected with a TCP SYN ACK. The client then responded to these TCP SYN ACK frames with a TCP RST (Reset) aborting the connection attempt.
Is anyone aware of this issue? Please advise so that we can get this problem corrected.
