[dns-operations] .COM and root authority claims seen in ISC SIE just now

Paul Vixie paul at vix.com
Sun Nov 18 15:15:16 UTC 2007 

thanks to the fine folks who run ISC SIE sensors, i'm finally getting a
fairly clear picture of just how much mud there is.  (more sensors welcome!)

first, i see that the set of people who claim authority for .COM is about
the same as shown in various historical CAIDA papers on this topic:

1195394884 ns com IN NS 86400,a.gtld-servers.net 86400,b.gtld-servers.net \
  86400,c.gtld-servers.net 86400,d.gtld-servers.net 86400,e.gtld-servers.net \
  86400,f.gtld-servers.net 86400,g.gtld-servers.net 86400,h.gtld-servers.net \
  86400,i.gtld-servers.net 86400,j.gtld-servers.net 86400,k.gtld-servers.net \
  86400,l.gtld-servers.net 86400,m.gtld-servers.net 66.45.244.194
1195394889 ns com IN NS 3600,a.ns.com 64.141.108.13
1195394948 ns com IN NS 1800,ns2.cnspeed.com 218.104.136.156
1195394957 ns com IN NS 86400,ns1.ezydomain.com 86400,ns2.ezydomain.com \
  66.132.144.176
1195395011 ns com IN NS 7200,ns1.hi2000.net 7200,ns2.hi2000.net 222.73.228.75
1195395119 ns com IN NS 86400,ns5.namerich.cn 86400,ns6.namerich.cn \
  220.194.59.57
1195395179 ns com IN NS 1800,dns.cachenet.cn 218.104.136.134
1195395179 ns com IN NS 1800,dns1.netcache.cn 218.104.136.152
1195395191 ns com IN NS 1800,ns1.cnspeed.com 218.5.75.141
1195395480 ns com IN NS 86400,dns3.uusee.com 60.28.26.194
1195395484 ns com IN NS 1800,dns.netcache.cn 218.5.75.142
1195395709 ns com IN NS 3600,ns1.publinord.com 3600,ns2.publinord.com \
  217.220.37.147
1195395948 ns com IN NS 1800,mfns1.myfamily.net 1800,mfns2.myfamily.net \
  66.43.24.8
1195396091 ns com IN NS 1800,dns1.cachenet.cn 218.85.139.112

but the root changes are the interesting part of this, from my point of view.

1195394884 ns . IN NS 3600000,A.ROOT-SERVERS.net 3600000,B.ROOT-SERVERS.net \
  3600000,C.ROOT-SERVERS.net 3600000,D.ROOT-SERVERS.net \
  3600000,E.ROOT-SERVERS.net 3600000,F.ROOT-SERVERS.net \
  3600000,G.ROOT-SERVERS.net 3600000,H.ROOT-SERVERS.net \
  3600000,I.ROOT-SERVERS.net 3600000,J.ROOT-SERVERS.net \
  3600000,K.ROOT-SERVERS.net 3600000,L.ROOT-SERVERS.net \
  3600000,M.ROOT-SERVERS.net 65.207.183.15

that's good data but it's from dns1.weather.com.  note that my filter is only
looking at NOERROR responses for which ANCOUNT>0 or NSCOUNT>0, and QDCOUNT=1.
one could charitably believe that ns1.weather.com is issuing a root delegation
in response to having been asked a question for which it is not authoritative.
200.37.195.10 (no PTR, but whois says telefonica peru) also does this.

1195394884 ns . IN NS 1000,B.ROOT-SERVERS.net 1000,D.ROOT-SERVERS.net \
  1000,F.ROOT-SERVERS.net 1000,G.ROOT-SERVERS.net 1000,H.ROOT-SERVERS.net \
  1000,I.ROOT-SERVERS.net 1000,J.ROOT-SERVERS.net 1000,K.ROOT-SERVERS.net \
  64.215.164.195

that's bad data of a particular form: TTL=1000, only 8 servers.  this source
(which has no PTR but it's inside GBLX) sent a total of 9 similar responses
in this couple-of-minutes trace, round-robin'ing through servers A..M.  63
other "servers" did the same thing with varying frequency:

 189 204.2.178.132 a204-2-178-132.deploy.akamaitechnologies.com.
 139 63.209.3.131 
 131 193.108.91.137 
 119 193.108.91.2 
  98 63.117.217.2 
  61 206.132.100.108 
  42 65.114.105.3 
  26 63.215.124.158 unknown.Level3.net.
  19 63.215.198.91 unknown.Level3.net.
  18 217.212.245.68 217-212-245-68.customer.teliacarrier.com.
  12 208.44.108.136 208-44-108-136.dia.static.qwest.net.
   9 64.215.164.195 
   8 193.108.91.4 
   7 193.108.91.69 
   7 193.108.91.122 
   6 193.108.91.218 
   6 193.108.91.195 
   5 220.73.220.2 
   5 193.108.91.15 
   5 193.108.91.1 
   5 124.211.40.3 
   4 213.254.204.196 
   4 212.187.244.39 a212-187-244-39.deploy.akamaitechnologies.com.
   4 193.108.91.8 
   4 193.108.91.253 
   4 193.108.91.127 
   3 193.45.1.103 a193-45-1-103.deploy.akamaitechnologies.com.
...elided...

i see a similar round robin / truncated set of root name servers coming back
from 66.218.71.205 and 216.109.116.20, but with TTL=518400.  217.146.128.77,
which also uses this TTL, is naming 13 servers, but they're ORSN servers.

an unclear on the concept award goes out to these top level or root nsnames:

1195394889 ns . IN NS 60,ns1 216.36.248.92
1195394919 ns . IN NS 259200,ns 64.20.52.34
1195394954 ns . IN NS 0,. 205.216.134.41
1195394959 ns . IN NS 86400,localhost 66.197.68.184

and another to this all-numeric nsname:

1195394926 ns . IN NS 86400,72.32.71.212 72.32.71.212

special mention to the TTL=1 crowd:

1195394959 ns . IN NS 1,ns1.lamedelegation.net 1,ns2.lamedelegation.net \
  205.178.190.11
1195395008 ns . IN NS 1,ns1.4d.co.uk 89.145.68.30
1195395087 ns . IN NS 1,ns1.liquidnames.com 1,ns2.liquidnames.com 83.223.121.56

then there's a bunch of stuff that i just don't know what it means (yet).  you
can run it but you can no longer hide it (nyeck nyeck):

1195394884 ns . IN NS 259200,ns4.dnsauthority.com 259200,ns5.dnsauthority.com 69.25.199.140
1195394885 ns . IN NS 3600,cpns01.secureserver.net 3600,cpns02.secureserver.net 64.202.167.174
1195394885 ns . IN NS 3600,ns1.domainsarefree.com 3600,ns2.domainsarefree.com 203.22.204.105
1195394892 ns . IN NS 3600,dns1.365.com 61.151.253.90
1195394893 ns . IN NS 3600,dpns1.dnsnameserver.org 3600,dpns2.dnsnameserver.org 3600,dpns3.dnsnameserver.org 3600,dpns4.dnsnameserver.org 209.128.76.102
1195394895 ns . IN NS 86400,ns0.directnic.com 86400,ns1.directnic.com 69.46.234.245
1195394899 ns . IN NS 86400,ns0.expireddomainservices.com 86400,ns1.expireddomainservices.com 204.251.10.227
1195394906 ns . IN NS 3600,ns1.trafficz.com 3600,ns2.trafficz.com 64.14.244.254
1195394924 ns . IN NS 86400,ns2.catcher.co.uk 86400,ns2.i-business.co.uk 86400,ns4.catcher.co.uk 83.138.188.36
1195394924 ns . IN NS 86400,ns.catcher.co.uk 86400,ns.i-business.co.uk 86400,ns1.catcher.co.uk 86400,ns1.i-business.co.uk 86400,ns3.catcher.co.uk 83.138.190.136
1195394927 ns . IN NS 14400,ns1.a1group.com 14400,ns2.a1group.com 64.151.123.213
1195394928 ns . IN NS 300,redir-01.premiumtraffic.com 300,redir-02.premiumtraffic.com 64.255.172.58
1195394940 ns . IN NS 3600,ns1.eedns.com 3600,ns2.eedns.com 59.60.28.119
1195394942 ns . IN NS 3600,ns1.netwisenetworks.co.uk 3600,ns2.netwisenetworks.co.uk 213.232.94.165
1195394943 ns . IN NS 86400,expired1.dnsbakler.com 86400,expired2.dnsbakler.com 64.28.186.73
1195394955 ns . IN NS 3600,dnsp1.powerhosting.com 3600,dnsp2.powerhosting.com 38.98.193.8
1195394968 ns . IN NS 3600,ns0.dnsmadeeasy.com 3600,ns1.dnsmadeeasy.com 3600,ns2.dnsmadeeasy.com 3600,ns3.dnsmadeeasy.com 3600,ns4.dnsmadeeasy.com 205.234.170.165
1195395058 ns . IN NS 86400,ns1.muumuu-domain.com 86400,ns2.muumuu-domain.com 210.157.1.186
1195395058 ns . IN NS 14400,NS1.IDITE-NA-HUI.COM 14400,NS2.IDITE-NA-HUI.COM 14400,NS3.IDITE-NA-HUI.COM 83.149.75.58
1195395060 ns . IN NS 300,ns3.weddingsetup.com 300,ns4.weddingsetup.com 204.101.246.207
1195395061 ns . IN NS 3600,ns1.pairNIC.com 3600,ns2.pairNIC.com 66.39.3.60
1195395063 ns . IN NS 43200,ns3.eachnic.com 218.244.143.119
1195395073 ns . IN NS 300,dns1.vpop.net 300,dns2.vpop.net 216.193.240.2
1195395090 ns . IN NS 38400,dns1.baihei.com 218.75.144.80
1195395112 ns . IN NS 1440,ns1.canaldominios.com 1440,ns2.canaldominios.com 82.194.64.26
1195395119 ns . IN NS 86400,ns5.namerich.cn 86400,ns6.namerich.cn 220.194.59.28
1195395284 ns . IN NS 259200,dns1.sendori.com 259200,dns2.sendori.com 259200,dns3.sendori.com 259200,dns4.sendori.com 259200,dns5.sendori.com 208.78.70.81
1195395447 ns . IN NS 86400,dns1.name-hosting.net 86400,dns2.name-hosting.net 210.157.1.182
1195395674 ns . IN NS 86400,parked1.dnsbakler.com 86400,parked2.dnsbakler.com 64.28.186.70
1195395882 ns . IN NS 3600,ns4.getitonline.com 3600,ns5.getitonline.com 65.245.224.75
1195395969 ns . IN NS 14400,ns1.1plus.net 14400,ns2.1plus.net 69.73.189.157
1195396073 ns . IN NS 3600,p00.psi.jp 3600,p01.psi.jp 221.249.12.35
1195396289 ns . IN NS 43200,ns5.eachnic.com 218.244.143.121

did i mention that more sensors are welcome, and also, that any bona fide DNS
researcher is welcome to look at the same raw data i'm seeing?

More information about the dns-operations mailing list