[dns-operations] Source code to identify the fake DNS packets from China Re: Odd behaviour on one node in I root-server (facebook, youtube & twitter)

Hauke Lampe lampe at hauke-lampe.de
Fri Apr 9 09:54:49 UTC 2010

John Kristoff wrote:
> David Dagon <dagon at cc.gatech.edu> wrote:
>>    a) Entire CIDRs (large ones: /16s, etc.) in China are open
>>       recursive, at least for qnames matching those three strings.
> They wouldn't be open recursive then, they'd effectively be claiming
> authority, either implicitly or explicitly.

I used DNS traceroute to get a better view on those fake answers.

  hping2 -T -n -2 -p 53 -E query-twitter.dns -d 34
(example payload attached or at

A few hops across the network border, volleys of forged answers begin to
appear. The query packets are not dropped, though, as I see "TTL
exceeded" messages all the way to the destination host.

So, a DNSSEC-signed answer should eventually make it back to the
initiator, if the listener hadn't already closed down after the first
unsigned reply matched the query's QID.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: query-twitter.dns
Type: application/octet-stream
Size: 29 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100409/f1131aed/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100409/f1131aed/attachment.sig>

More information about the dns-operations mailing list