[dns-operations] most of root NS and com's NS fail from here
David Conrad
drc at virtualized.org
Tue Apr 29 17:24:31 UTC 2014
Hi,
On Apr 29, 2014, at 2:29 AM, Ken Peng <kpeng at terra.com> wrote:
> I checked them, all seem correct.
Yep.
> This is the traceroute info for one of the failed nameservers.
>
> $ traceroute h.root-servers.net
> traceroute to h.root-servers.net (128.63.2.53), 30 hops max, 60 byte packets
> 1 113.108.228.129 (113.108.228.129) 0.404 ms 0.886 ms 1.064 ms
> 2 121.14.46.93 (121.14.46.93) 0.475 ms 0.941 ms 1.227 ms
> 3 121.14.37.33 (121.14.37.33) 6.604 ms 6.958 ms 7.168 ms
> 4 121.14.37.6 (121.14.37.6) 0.369 ms 0.377 ms 0.393 ms
> 5 121.14.50.13 (121.14.50.13) 1.569 ms 1.615 ms 1.694 ms
> 6 113.108.208.97 (113.108.208.97) 4.362 ms 3.704 ms 3.624 ms
> 7 (202.97.34.202) 2.973 ms 2.976 ms 2.972 ms
> 8 202.97.61.234 (202.97.61.234) 1.429 ms 1.421 ms 1.297 ms
> 9 202.97.52.154 (202.97.52.154) 161.854 ms 161.380 ms 161.363 ms
> 10 202.97.49.158 (202.97.49.158) 157.784 ms 157.338 ms 157.326 ms
> 11 218.30.54.198 (218.30.54.198) 255.352 ms 255.432 ms 255.425 ms
> 12 los-edge-05.inet.qwest.net (67.14.22.130) 251.492 ms los-edge-05.inet.qwest.net (67.14.22.106) 256.656 ms los-edge-05.inet.qwest.net (67.14.22.130) 251.350 ms
> 13 65-126-18-214.dia.static.qwest.net (65.126.18.214) 360.808 ms 360.171 ms 360.426 ms
> 14 143.56.244.2 (143.56.244.2) 258.023 ms 254.128 ms 254.172 ms
> 15 ap-1-1-1-nd.level3-lax.core.dren.net (140.6.244.1) 249.144 ms 248.882 ms 249.567 ms
> 16 np-5-1-1-nd.sandiego.core.dren.net (140.6.0.1) 359.050 ms 358.964 ms 359.087 ms
> 17 138.18.190.89 (138.18.190.89) 349.903 ms 349.947 ms 349.974 ms
> 18 * * *
>
> The ping info:
>
> $ ping -c 3 h.root-servers.net
> PING h.root-servers.net (128.63.2.53) 56(84) bytes of data.
> 64 bytes from 128.63.2.53: icmp_seq=1 ttl=45 time=355 ms
> 64 bytes from 128.63.2.53: icmp_seq=2 ttl=45 time=356 ms
> 64 bytes from 128.63.2.53: icmp_seq=3 ttl=45 time=257 ms
>
> --- h.root-servers.net ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 21549ms
> rtt min/avg/max/mdev = 257.609/323.121/356.333/46.325 ms
Assuming your traceroute uses UDP, it looks to me like your source address is having (at least) UDP filtered once it hits the DREN. "H" might not have been the best choice to test since it probably isn't too surprising there might be reachability issues given the DREN is the US Defense Research and Engineering network and I believe there have been a number of UDP (DNS) amplification attacks originating from China. It may be that the issues you are facing with access to root servers can be attributed to folks trying to mitigate DDoS attacks.
Are you seeing the same sort of behavior (UDP-based traceroute failing, ping succeeding) from the other root servers you're unable to reach?
As a mitigation, I might suggest having your resolvers slave the root zone...
Regards,
-drc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140429/66b314c4/attachment.sig>
More information about the dns-operations
mailing list