[dns-operations] Odd behaviour on one node in I root-server (facebook, youtube & twitter)

Matsuzaki Yoshinobu maz at iij.ad.jp
Wed Mar 24 20:30:33 UTC 2010


Hi,

>From IIJ/AS2497, we can get expected answer from the i.root.  And the
node should be in tokyo - hostname.bind is "s1.tok"

% traceroute i.root-servers.net
traceroute to i.root-servers.net (192.36.148.17), 64 hops max, 40 byte packets
 1  id-ex-router (202.232.15.209)  0.484 ms  0.338 ms  0.241 ms
 2  210.130.154.241 (210.130.154.241)  0.613 ms  0.605 ms  0.618 ms
 3  tky001ipgw11.IIJ.Net (58.138.101.197)  0.614 ms  0.604 ms  0.617 ms
 4  tky001bb11.IIJ.Net (58.138.101.13)  0.489 ms  0.603 ms  0.491 ms
 5  tky001ix04.IIJ.Net (58.138.100.30)  0.615 ms  0.728 ms  0.617 ms
 6  as8674.dix-ie.jp (202.249.2.180)  0.864 ms  0.602 ms  0.617 ms
 7  i.root-servers.net (192.36.148.17)  0.738 ms  0.728 ms  0.748 ms

% dig +norecurs @i.root-servers.net www.facebook.com A

; <<>> DiG 9.6.1-P1 <<>> +norecurs @i.root-servers.net www.facebook.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60601
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14

;; QUESTION SECTION:
;www.facebook.com.              IN      A

;; AUTHORITY SECTION:
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.

;; ADDITIONAL SECTION:
a.gtld-servers.net.     172800  IN      A       192.5.6.30
a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30
b.gtld-servers.net.     172800  IN      A       192.33.14.30
b.gtld-servers.net.     172800  IN      AAAA    2001:503:231d::2:30
c.gtld-servers.net.     172800  IN      A       192.26.92.30
d.gtld-servers.net.     172800  IN      A       192.31.80.30
e.gtld-servers.net.     172800  IN      A       192.12.94.30
f.gtld-servers.net.     172800  IN      A       192.35.51.30
g.gtld-servers.net.     172800  IN      A       192.42.93.30
h.gtld-servers.net.     172800  IN      A       192.54.112.30
i.gtld-servers.net.     172800  IN      A       192.43.172.30
j.gtld-servers.net.     172800  IN      A       192.48.79.30
k.gtld-servers.net.     172800  IN      A       192.52.178.30
l.gtld-servers.net.     172800  IN      A       192.41.162.30

;; Query time: 1 msec
;; SERVER: 192.36.148.17#53(192.36.148.17)
;; WHEN: Wed Mar 24 20:23:40 2010
;; MSG SIZE  rcvd: 506

-----
Matsuzaki Yoshinobu <maz at iij.ad.jp>
 - IIJ/AS2497  INOC-DBA: 2497*629

Date: Wed, 24 Mar 2010 20:47:07 +0100
bert hubert <bert.hubert at netherlabs.nl> wrote
> On Wed, Mar 24, 2010 at 03:22:40PM -0300, Mauricio Vergara Ereche wrote:
>> A local ISP has told us that there's some strange behavior with at least one 
>> node in i.root-servers.net (traceroute shows mostly China)
>> It seems that when you ask A records for facebook, youtube or twitter, you get 
>> an IP and not the referral for .com
> 
> Wow! This is stunning. I knew that China messed with DNS internally, but not
> that it leaked to the outside world. Perhaps this is what you are seeing.
> 
> Confirmed from a server in Shanghai (note the wrong checksums!)
> 
>  7  x.182 (x.182)  2.601 msIcmp checksum is wrong
>   2.567 msIcmp checksum is wrong
>   2.124 ms
> Icmp checksum is wrong
>  8  x.161 (x.161)  31.113 msIcmp checksum is wrong
>   9.614 msIcmp checksum is wrong
>   202.169 ms
>  9  210.22.66.185 (210.22.66.185)  2.620 ms  2.703 ms  2.613 ms
> 10  219.158.21.241 (219.158.21.241)  3.145 ms  3.054 ms  2.737 ms
> 11  219.158.3.206 (219.158.3.206)  3.269 ms  3.223 ms  2.574 ms
> 12  219.158.29.46 (219.158.29.46)  92.727 ms  92.685 ms  92.616 ms
> 13  210.130.133.69 (210.130.133.69)  102.338 ms  94.154 ms  95.960 ms
> 14  tky008bb00.IIJ.Net (58.138.105.177)  113.369 ms  117.653 ms  112.755 ms
> 15  tky009bf01.IIJ.Net (58.138.80.69)  149.537 ms tky009bf00.IIJ.Net (58.138.80.65)  97.795 ms tky008bf00.IIJ.Net (58.138.80.249)  97.472 ms
> 16  tky001bb10.IIJ.Net (58.138.80.22)  121.196 ms tky001bb11.IIJ.Net (58.138.80.46)  119.261 ms tky001bb10.IIJ.Net (58.138.80.10)  185.538 ms
> 17  tky001ix04.IIJ.Net (58.138.100.26)  109.179 ms tky001ix04.IIJ.Net (58.138.100.30)  118.512 ms  116.882 ms
> 18  as8674.dix-ie.jp (202.249.2.180)  94.323 ms  94.045 ms  94.044 ms
> 19  i.root-servers.net (192.36.148.17)  94.560 ms  94.096 ms  94.035 ms
> 
> 
> $ dig +norecurs @i.root-servers.net www.facebook.com A
> 
> ; <<>> DiG 9.2.4 <<>> +norecurs @i.root-servers.net www.facebook.com A
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14020
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;www.facebook.com.              IN      A
> 
> ;; ANSWER SECTION:
> www.facebook.com.       300     IN      A       46.82.174.68
> 
> ;; Query time: 6 msec
> ;; SERVER: 192.36.148.17#53(192.36.148.17)
> ;; WHEN: Thu Mar 25 03:40:53 2010
> ;; MSG SIZE  rcvd: 50
> 
> This one is even more stunning:
> $ dig -t soa facebook.com @i.root-servers.net
> 
> ; <<>> DiG 9.2.4 <<>> -t soa facebook.com @i.root-servers.net
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23252
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;facebook.com.                  IN      SOA
> 
> ;; ANSWER SECTION:
> facebook.com.           300     IN      A       59.24.3.173
> 
> ;; Query time: 7 msec
> ;; SERVER: 192.36.148.17#53(192.36.148.17)
> ;; WHEN: Thu Mar 25 03:39:27 2010
> ;; MSG SIZE  rcvd: 46
> 
> 
> 	
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list