[dns-operations] most of root NS and com's NS fail from here

Emmanuel Thierry ml at sekil.fr
Tue Apr 29 10:05:21 UTC 2014


Hello,

Le 29 avr. 2014 à 11:29, Ken Peng a écrit :

> 于 2014-4-29 12:21, David Conrad 写道:
>> Ken,
>> 
>> On Apr 28, 2014, at 7:43 PM, Ken Peng <kpeng at terra.com> wrote:
>>> Recent days I found most of the root nameservers, and com/net's
>>> nameservers can't work from here. When accessing to them I always got
>>> timeout.
>> 
>> If you're querying from inside China, probably the first thing you should check is to see if the root server IP addresses you're querying match the following list (a-m):
>> 
>> a.root-servers.net. - 198.41.0.4
>> b.root-servers.net. - 192.228.79.201
>> c.root-servers.net. - 192.33.4.12
>> d.root-servers.net. - 199.7.91.13
>> e.root-servers.net. - 192.203.230.10
>> f.root-servers.net. - 192.5.5.241
>> g.root-servers.net. - 192.112.36.4
>> h.root-servers.net. - 128.63.2.53
>> i.root-servers.net. - 192.36.148.17
>> j.root-servers.net. - 192.58.128.30
>> k.root-servers.net. - 193.0.14.129
>> l.root-servers.net. - 199.7.83.42
>> m.root-servers.net. - 202.12.27.33
>> 
> 
> I checked them, all seem correct.

If i'm not mistaken, the Chinese filtering is performed on a per-service basis. So you may have a correct traceroute but still have your DNS requests spoofed or blocked
I think that be best way to test is using wireshark, and if everything looks correct, comparing RTT times of ping and DNS queries.

Best regards
Emmanuel Thierry




More information about the dns-operations mailing list