[dns-operations] Odd behaviour on one node in I root-server (facebook, youtube & twitter)
Matsuzaki Yoshinobu
maz at iij.ad.jp
Wed Mar 24 20:30:33 UTC 2010
Hi,
>From IIJ/AS2497, we can get expected answer from the i.root. And the
node should be in tokyo - hostname.bind is "s1.tok"
% traceroute i.root-servers.net
traceroute to i.root-servers.net (192.36.148.17), 64 hops max, 40 byte packets
1 id-ex-router (202.232.15.209) 0.484 ms 0.338 ms 0.241 ms
2 210.130.154.241 (210.130.154.241) 0.613 ms 0.605 ms 0.618 ms
3 tky001ipgw11.IIJ.Net (58.138.101.197) 0.614 ms 0.604 ms 0.617 ms
4 tky001bb11.IIJ.Net (58.138.101.13) 0.489 ms 0.603 ms 0.491 ms
5 tky001ix04.IIJ.Net (58.138.100.30) 0.615 ms 0.728 ms 0.617 ms
6 as8674.dix-ie.jp (202.249.2.180) 0.864 ms 0.602 ms 0.617 ms
7 i.root-servers.net (192.36.148.17) 0.738 ms 0.728 ms 0.748 ms
% dig +norecurs @i.root-servers.net www.facebook.com A
; <<>> DiG 9.6.1-P1 <<>> +norecurs @i.root-servers.net www.facebook.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60601
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
;; QUESTION SECTION:
;www.facebook.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800 IN A 192.5.6.30
a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30
b.gtld-servers.net. 172800 IN A 192.33.14.30
b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
;; Query time: 1 msec
;; SERVER: 192.36.148.17#53(192.36.148.17)
;; WHEN: Wed Mar 24 20:23:40 2010
;; MSG SIZE rcvd: 506
-----
Matsuzaki Yoshinobu <maz at iij.ad.jp>
- IIJ/AS2497 INOC-DBA: 2497*629
Date: Wed, 24 Mar 2010 20:47:07 +0100
bert hubert <bert.hubert at netherlabs.nl> wrote
> On Wed, Mar 24, 2010 at 03:22:40PM -0300, Mauricio Vergara Ereche wrote:
>> A local ISP has told us that there's some strange behavior with at least one
>> node in i.root-servers.net (traceroute shows mostly China)
>> It seems that when you ask A records for facebook, youtube or twitter, you get
>> an IP and not the referral for .com
>
> Wow! This is stunning. I knew that China messed with DNS internally, but not
> that it leaked to the outside world. Perhaps this is what you are seeing.
>
> Confirmed from a server in Shanghai (note the wrong checksums!)
>
> 7 x.182 (x.182) 2.601 msIcmp checksum is wrong
> 2.567 msIcmp checksum is wrong
> 2.124 ms
> Icmp checksum is wrong
> 8 x.161 (x.161) 31.113 msIcmp checksum is wrong
> 9.614 msIcmp checksum is wrong
> 202.169 ms
> 9 210.22.66.185 (210.22.66.185) 2.620 ms 2.703 ms 2.613 ms
> 10 219.158.21.241 (219.158.21.241) 3.145 ms 3.054 ms 2.737 ms
> 11 219.158.3.206 (219.158.3.206) 3.269 ms 3.223 ms 2.574 ms
> 12 219.158.29.46 (219.158.29.46) 92.727 ms 92.685 ms 92.616 ms
> 13 210.130.133.69 (210.130.133.69) 102.338 ms 94.154 ms 95.960 ms
> 14 tky008bb00.IIJ.Net (58.138.105.177) 113.369 ms 117.653 ms 112.755 ms
> 15 tky009bf01.IIJ.Net (58.138.80.69) 149.537 ms tky009bf00.IIJ.Net (58.138.80.65) 97.795 ms tky008bf00.IIJ.Net (58.138.80.249) 97.472 ms
> 16 tky001bb10.IIJ.Net (58.138.80.22) 121.196 ms tky001bb11.IIJ.Net (58.138.80.46) 119.261 ms tky001bb10.IIJ.Net (58.138.80.10) 185.538 ms
> 17 tky001ix04.IIJ.Net (58.138.100.26) 109.179 ms tky001ix04.IIJ.Net (58.138.100.30) 118.512 ms 116.882 ms
> 18 as8674.dix-ie.jp (202.249.2.180) 94.323 ms 94.045 ms 94.044 ms
> 19 i.root-servers.net (192.36.148.17) 94.560 ms 94.096 ms 94.035 ms
>
>
> $ dig +norecurs @i.root-servers.net www.facebook.com A
>
> ; <<>> DiG 9.2.4 <<>> +norecurs @i.root-servers.net www.facebook.com A
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14020
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.facebook.com. IN A
>
> ;; ANSWER SECTION:
> www.facebook.com. 300 IN A 46.82.174.68
>
> ;; Query time: 6 msec
> ;; SERVER: 192.36.148.17#53(192.36.148.17)
> ;; WHEN: Thu Mar 25 03:40:53 2010
> ;; MSG SIZE rcvd: 50
>
> This one is even more stunning:
> $ dig -t soa facebook.com @i.root-servers.net
>
> ; <<>> DiG 9.2.4 <<>> -t soa facebook.com @i.root-servers.net
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23252
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;facebook.com. IN SOA
>
> ;; ANSWER SECTION:
> facebook.com. 300 IN A 59.24.3.173
>
> ;; Query time: 7 msec
> ;; SERVER: 192.36.148.17#53(192.36.148.17)
> ;; WHEN: Thu Mar 25 03:39:27 2010
> ;; MSG SIZE rcvd: 46
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list