[dns-operations] Odd behaviour on one node in I root-server (facebook, youtube & twitter)

bert hubert bert.hubert at netherlabs.nl
Wed Mar 24 19:47:07 UTC 2010 

On Wed, Mar 24, 2010 at 03:22:40PM -0300, Mauricio Vergara Ereche wrote:
> A local ISP has told us that there's some strange behavior with at least one 
> node in i.root-servers.net (traceroute shows mostly China)
> It seems that when you ask A records for facebook, youtube or twitter, you get 
> an IP and not the referral for .com

Wow! This is stunning. I knew that China messed with DNS internally, but not
that it leaked to the outside world. Perhaps this is what you are seeing.

Confirmed from a server in Shanghai (note the wrong checksums!)

 7  x.182 (x.182)  2.601 msIcmp checksum is wrong
  2.567 msIcmp checksum is wrong
  2.124 ms
Icmp checksum is wrong
 8  x.161 (x.161)  31.113 msIcmp checksum is wrong
  9.614 msIcmp checksum is wrong
  202.169 ms
 9  210.22.66.185 (210.22.66.185)  2.620 ms  2.703 ms  2.613 ms
10  219.158.21.241 (219.158.21.241)  3.145 ms  3.054 ms  2.737 ms
11  219.158.3.206 (219.158.3.206)  3.269 ms  3.223 ms  2.574 ms
12  219.158.29.46 (219.158.29.46)  92.727 ms  92.685 ms  92.616 ms
13  210.130.133.69 (210.130.133.69)  102.338 ms  94.154 ms  95.960 ms
14  tky008bb00.IIJ.Net (58.138.105.177)  113.369 ms  117.653 ms  112.755 ms
15  tky009bf01.IIJ.Net (58.138.80.69)  149.537 ms tky009bf00.IIJ.Net (58.138.80.65)  97.795 ms tky008bf00.IIJ.Net (58.138.80.249)  97.472 ms
16  tky001bb10.IIJ.Net (58.138.80.22)  121.196 ms tky001bb11.IIJ.Net (58.138.80.46)  119.261 ms tky001bb10.IIJ.Net (58.138.80.10)  185.538 ms
17  tky001ix04.IIJ.Net (58.138.100.26)  109.179 ms tky001ix04.IIJ.Net (58.138.100.30)  118.512 ms  116.882 ms
18  as8674.dix-ie.jp (202.249.2.180)  94.323 ms  94.045 ms  94.044 ms
19  i.root-servers.net (192.36.148.17)  94.560 ms  94.096 ms  94.035 ms


$ dig +norecurs @i.root-servers.net www.facebook.com A

; <<>> DiG 9.2.4 <<>> +norecurs @i.root-servers.net www.facebook.com A
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14020
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com.              IN      A

;; ANSWER SECTION:
www.facebook.com.       300     IN      A       46.82.174.68

;; Query time: 6 msec
;; SERVER: 192.36.148.17#53(192.36.148.17)
;; WHEN: Thu Mar 25 03:40:53 2010
;; MSG SIZE  rcvd: 50

This one is even more stunning:
$ dig -t soa facebook.com @i.root-servers.net

; <<>> DiG 9.2.4 <<>> -t soa facebook.com @i.root-servers.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23252
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;facebook.com.                  IN      SOA

;; ANSWER SECTION:
facebook.com.           300     IN      A       59.24.3.173

;; Query time: 7 msec
;; SERVER: 192.36.148.17#53(192.36.148.17)
;; WHEN: Thu Mar 25 03:39:27 2010
;; MSG SIZE  rcvd: 46

More information about the dns-operations mailing list