Open jsf9k opened 3 years ago
I will get an email out to our AWS contacts tomorrow morning.
I will get an email out to our AWS contacts tomorrow morning.
I sent an email to Adrian on Friday.
Adrian got back to us on August 20:
I looked through the code in the cisgov/trustymail and 18F/domain-scan repos, along with your description. Itâs a sticky wicket. Here are what I see as the challenges and path forward:
Challenges:
The tl;dr is what you already know:
Options:
đ Summary
Some DNS lookups are failing in Trustworthy Email scans, presumably because we are hitting the 1024 queries per second per network interface throttling limit applied to AWS VPCs or another similar limit.
I noticed this in this week's BOD 18-01 scanning run, since the Trustworthy Email report for National Labor Relations Board failed to generate. When I investigated, I saw that this is because the Trustworthy Email reporting process thought there were no active domains for that agency; however, a quick
dig MX nlrb.gov
shows this not to be the case. Digging further, I can see many lines of this form in the file/var/cyhy/orchestrator/output/archive/latest/results/trustymail.csv
:Note the error message
All nameservers failed to answer the query nlrb.gov. IN MX: Server 169.254.78.1 TCP port 53 answered REFUSED
, indicating that the AWS DNS queries are being throttled. I thought DNS was at169.254.169.253
, but it appears that something different is happening with DNS for Lambdas live in a VPC: see here, here, and especially here. Note that the last link indicates pretty degraded performance for non-cacheable DNS requests in AWS Lambda.This is exactly the problem that is discussed in this comment.
To reproduce
Steps to reproduce the behavior:
grep -F REFUSED /var/cyhy/orchestrator/output/archive/latest/results/trustymail.csv
on the BOD 18-01 reporting instance.Expected behavior
The Trustworthy Email results should not include any DNS refusals.