[dns-operations] research on the queries for the root NSSET?

bert hubert bert.hubert at netherlabs.nl
Sat May 21 08:25:00 UTC 2011 

Hi everybody,

In the development & deployment of PowerDNS(sec) 3.0, I've been keeping a
very close eye on the query logs.

All authoritative nameservers get a lot of questions for the root NSSET
these days, and I wondered where those queries were coming from. In all, I
looked at 30562 queries arriving in the course of 6 days.

In *ascending* order of frequency, the following IP addresses have been
querying powerdnssec1.ds9a.nl for .|NS most:

193.29.52.8	France	A8	Ile-de-France	Paris		48.8667	2.3333	euler HERMES TECH	euler HERMES TECH		
218.30.23.161	China	22	Beijing	Beijing		39.9289	116.3883	CHINANET network	CHINANET IDC center		
91.209.44.8	France	A8	Ile-de-France	Paris		48.8667	2.3333	euler HERMES TECH	euler HERMES TECH		
58.205.216.3	China	22	Beijing	Beijing		39.9289	116.3883	China Education and Research Network	CERNET Internet Data Center Department		
66.45.180.253	United States	WA	Washington	Spokane		47.6779	-117.3793	Tierpoint, LLC	Coldwater Creek	881	509
203.121.29.12	Malaysia	14	Kuala Lumpur	Kuala Lumpur		3.1667	101.7000	TIME Telecommunications Sdn. Bhd.	TIME Telecommunications Sdn. Bhd.		
58.26.5.44	Malaysia	14	Kuala Lumpur	Kuala Lumpur		3.1667	101.7000	TMnet Telekom Malaysia	ING INSURANCE BERHAD		
12.32.40.253	United States	ID	Idaho	Coeur D Alene		47.6609	-116.8343	AT&T Services	Clodwater Creek	881	208
69.8.222.126	United States	ID	Idaho	Coeur D Alene	83814	47.5924	-116.9119	Qwest Communications	Coldwater Creek	881	208
211.100.41.11	China	22	Beijing	Beijing		39.9289	116.3883	China Internet Network Information Center	used by DialUp Access Server as IP POOLs		
218.30.111.41	China	22	Beijing	Beijing		39.9289	116.3883	CHINANET network	CHINANET IDC center		
202.108.12.147	China	22	Beijing	Beijing		39.9289	116.3883	China Unicom Beijing Province Network	China Unicom Beijing Province Network		
211.100.41.12	China	22	Beijing	Beijing		39.9289	116.3883	China Internet Network Information Center	used by DialUp Access Server as IP POOLs		
221.130.27.101	China	04	Jiangsu	Nanjing		32.0617	118.7778	China Mobile Communications Corporation	China Mobile Communications Corporation - jiangsu
218.25.41.136	China	19	Liaoning	Shenyang		41.7922	123.4328	China Unicom Liaoning province network	China Unicom Liaoning province network		
60.217.229.5	China	25	Shandong	Jinan		36.6683	116.9972	China Unicom Shandong province network	China Unicom Shandong province network		
123.129.242.66	China	25	Shandong	Jinan		36.6683	116.9972	China Unicom Shandong province network	China Unicom Shandong province network		
218.30.23.100	China	22	Beijing	Beijing		39.9289	116.3883	CHINANET network	CHINANET IDC center		
202.108.12.146	China	22	Beijing	Beijing		39.9289	116.3883	China Unicom Beijing Province Network	China Unicom Beijing Province Network		
125.64.34.115	China	32	Sichuan	Chengdu		30.6667	104.0667	CHINANET Sichuan province network	CHINANET Sichuan province network		
121.14.51.5	China	30	Guangdong	Guangzhou		23.1167	113.2500	ChinaNet Guangdong Province Network	ChinaNet Guangdong Province Network		
218.75.110.194	China	02	Zhejiang	Hangzhou		30.2553	120.1689	Data Communication Division	Hangzhou Telecommunication IDC Center		
114.80.99.2	China	23	Shanghai	Shanghai		31.0050	121.4086	ChinaNet Shanghai Province Network	ChinaNet Shanghai Province Network		
61.183.11.3	China	12	Hubei	Wuhan		30.5833	114.2667	Data Communication Division	CHINANET Hubei province network		
61.155.6.99	China	22	Beijing	Beijing		39.9289	116.3883	Data Communication Division	CHINANET jiangsu province network

(geolocation by the excellent & affordable maxmind.com)

These 25 addresses represent 75% of the queries for '.|NS'. Clearly China
dominates the entire top of this list in a big way.

The above is the result of 20 minutes of research, but has anyone else
looked into this seriously? If I get one query every 16 seconds, and we
assume there are a million responding nameservers on this planet, and they
all have the same query load, this would represent around a 300 megabit/s
answer flow.

This sort of belies the DoS assumption.

Anybody have a clue?

	Bert 'things that make you go hmm on a Saturday morning' Hubert

More information about the dns-operations mailing list