[unisog] DNS queries from Windows clients for every udp/137 and udp/138 broadcast they hear?

Irwin Tillman irwin at princeton.edu
Tue Sep 27 16:06:46 GMT 2005


In recent weeks, I've seeing an increasing volume in DNS traffic from some Windows machines
in a pattern that I've not seen before.  

Because the affected machine are almost entirely student machines,
I thought I checked with unisog folks to see if they've seen the
pattern before.


Each of the affected machines is sending a two DNS lookups for every 
UDP broadcast packet it hears involving NetBIOS ports 137 or 138.

E.g. if a machine (say 10.1.57.8) on network (say 10.1.0.0/16) broadcasts:

    IP 10.1.57.8.137 > 10.1.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

Then each affected Window machine (say 10.1.3.4) on the same network
issues the following two lookups to the DNS server (say 192.168.1.1):

   IP 10.1.3.4.3638 > 192.168.1.1.53: 2+ PTR? 8.57.1.10.in-addr.arpa.
   IP 10.1.3.4.3639 > 192.168.1.1.53  2+ PTR? 255.255.1.10.in-addr.arpa.


Other characteristics:

* The DNS server responds to the first query with the name corresponding
to the PTR record, with a 12-hour TTL.  The affected Windows machine
does not cache this, because the next time it sees a similar packet
from the same machine A, it repeats the query.

* The DNS server responds to the second query with an NXDOMAIN response;
the requested IP address is the all-1's style subnet directed broadcast
address for the subnet, a value that is not particularly useful to look up in DNS.
The negative caching TTL is 10 minutes.
The affected Windows machine
does not cache this, because the next time it sees a similar packet
from any machine it repeats the query.

* All the affected Windows machines sending the DNS queries have three DNS servers (learned via DHCP).
Unexpectedly, all send these queries not to the first DNS server in the list, but to the third.


Naturally, this DNS behavior doesn't scale.  
If there are X such NetBIOS-over-IP broadcasts per second on the network,
and Y affected Windows machines, the DNS server will receive 2 * X * Y 
DNS queries per second.
I see the number Y  (the number of affected Windows machines) growing here;
it's already resulted in quadrupling the DNS query rate to some DNS servers here.

Does anyone know what causes some Windows machines to produce this
unfortunate DNS behavior?  

/ Irwin Tillman, OIT Network Systems, Princeton University



More information about the unisog mailing list