Unexpected behaviour from the B root servers? Am I setup wrong?

Peter Dambier peter at peter-dambier.de
Mon Feb 26 09:12:25 UTC 2007


Stephen John Smoogen wrote:
> I am only seeing this with the B systems at the moment.. and I am
> trying to figure out how I should 'fix' my firewall or backbone DNS
> server to deal with it.
> 
> Our campus DNS servers will 'proxy' a request to the backbone DNS
> servers and when it talks to the B servers, we get requests back from
> different IP address from what we sent to (thus our firewall drops it
> as a bad session).
> 
> 129.24.8.1.32768 > 192.228.79.201.domain
> 192.228.79.200.domain > 129.24.8.1.32768
> 192.228.79.202.domain > 129.24.8.1.32768
> 192.228.79.201.domain > 129.24.8.1.32768
> 
> This really picked up on Saturday when pretty much every send to the
> 192.228.79.201 server got 1 to 2 other returns from b1.ip4.int,
> b2.ip4.int etc.
> 
> The only other servers that the firewall seems to be dropping are some
> 'questionable' ones in Romania that showed up over the weekend.
> 
> 


No wonder:

128.9.0.0		isi-net.isi.edu
128.9.0.107		ns1.isi.edu	b.root-servers.net.old
128.9.128.127	  	NS.ISI.EDU
128.9.176.32	  	VENERA.ISI.EDU

soa("um","2006120106","FLAG.EP.NET","198.32.4.13").
error("um","VENERA.ISI.EDU","128.9.176.32","no response").
soa("um","2006120106","NS.ISI.EDU","128.9.128.127").
error("um","NS.UU.NET","137.39.1.3","no soa").

First they featherd and tarred the .um TLD
Now they try to do the same the root  :)

host_name("192.228.79.200","b1.ip4.int").
host_name("192.228.79.201","b.root-servers.net").
host_name("192.228.79.202","b2.ip4.int").
host_name("192.228.79.203","b3.ip4.int").
host_name("192.228.79.204","b4.ip4.int").

Since they moved the b.root-servers.net to its new ip,
they are living behind a load balancer.

When one of them is busy the answer might reach more
than one of them. When the sleepy one sends its answer
the load balancer does not know what to do with it
and lets it out without NATting its ip-address.

Looks like anycast - but it isn't.

Best cure would be to have a copy of b.root-servers.net
behind your firewall. Bind slave mode.

Bind will connect b.root-servers.net via tcp,
twice per day and there will go no other queries to
to the root-servers. There will come no more answers.


Cheers
Peter and Karin

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher-Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/



More information about the bind-users mailing list