2

I've switched to Amazon's Route 53 service for three small, low-traffic domains last month. The first bill just came in, and it was something a shock.

The number of queries for the first month for the three domains was 17 million, 25 million, and 75 million, respectively. That last is just used for a (very) small corporate website and email. It gets less than 200 visitors a month, and maybe a few dozen email messages (mostly spam). How in the world did it generate 75 million DNS queries? That's like...30 queries per second?!

That's not normal volume, is it?

Is there any way I can figure this out? Does anyone know if Amazon offers any reporting that could help me figure out this query volume?

Cody Hatch
  • 246
  • 2
  • 5
  • 2
    Clearly either Amazon's billing is in error or someone is specifically trying to run up Amazon Route 53 bills. – David Schwartz Jan 04 '12 at 02:32
  • 1
    Our medium-traffic domains average 30 queries per *minute* (total on all authoritative name servers). You're seeing more than 50 times that. – David Schwartz Jan 04 '12 at 02:39
  • 2
    While the cost is a problem in itself, I would worry that there is a sloppily written script trying to guess your passwords or sending spam thru a mailserver in the domain. tcpdump/wireshark on the boxen named by those DNS records would be my first action. – Bittrance Jan 04 '12 at 03:00
  • What is your DNS TTL value? Is it too small? – Khaled Jan 04 '12 at 08:08
  • @Khaled It's 300, which seems to be the default on Route 53. That may be making the issue worse and I'll try increasing it...but honestly, I can't see that being the cause of the issue. – Cody Hatch Jan 04 '12 at 09:37

1 Answers1

1

You definitely shouldn't be seeing that many queries if you hosted your own NS. It's possible that there's a spammer hijacking your domain. You'd likely see a large number of PTR queries if it was sending mail, if you're able to check.

However because it's hosted on Amazon AWS IP space there's inherently more scanning/querying on this provider than if you hosted your domain on your own IP space.

Try and get a report from them based on the top querying IPs and their country origins. I wouldn't be surprised if it was due to some Chinese botnets scanning that Amazon doesn't filter out befor billing.

3neat
  • 33
  • 3