On 23 Feb 2005, at 15:10, Juha Saarinen wrote:
Joe Abley wrote:
The Auckland node is engineered to deal with flash crowds (e.g. wildfire lookups of "WORKGROUP" by new and exciting windows worms)
That sounds more like the default Windows networking installation looking for its WORKGROUP workgroup rather than a worm.
There are plenty of examples of worms triggering DNS lookups as they go about their wormly business. I'm not talking about the general background level of junk queries from Windows and other boxes which are either misconfigured or contain poor DNS client implementations. Evi did a talk on this in Mount Wellington.
'man pf'
If you're suggesting that blocking 53/udp and 53/tcp would be an effective way to reduce query load on the roots, then yes, I'm sure that would be highly effective. (Simply turning them all off would probably be less effort, however.) Joe