[dns-operations] Best Resources for Deep Dive Understanding of DNS

Wed Jan 7 08:18:33 UTC 2015

> On 7/01/2015, at 7:31 pm, Ralf Weber <dns at fl1ger.de> wrote:
> 
> Moin!
> 
>> On 04 Jan 2015, at 11:44, Alexander Neilson <alexander at neilson.net.nz> wrote:
>> 
>> 
>> Now it may be something inside the network that specifically asks for a resolution of or against a.root-servers.net but I am seeing 11% of queries for a. and nothing in the top lists for any other root server.
> Are you seeing recursions that cause the server to go to a.root-servers.net or do you see client queries for a.root-servers.net? The latter is something very common and probably caused by some misconfigured software, but so far nobody has told me which software.

I am seeing them as queries from customers. Seems to be a very even spread of requests.

Over 15 minutes I captured 12,472 requests for DNS resolution from customers for a.root-servers.net A record.

378 different customer IP’s with between 27 and 38 requests each. and clusters at each level. So far I cannot see anything that indicates its linked to the customer requests (because I would expect a greater variation in the number of requests per customer in that case)

I am seeing a lot of them (9,997) with Transaction ID of 0x04d2. This seems to be something odd (but again I still need to learn a lot more about the decisions implementations make with their queries) but it gives me a feeling of a hard coded request.

Two of the IP’s that sourced the queries had 126, and 321 queries respectively. I am still investigating the 126 query as the user doesn’t have a large amount of traffic used so no explanation as to why the query count is so high. The other is a small stub network that is Natted so that would explain the larger count and helps me with my supposition.

I believe this may be a hard coded query from TP Link routers (only supposition at this point) but it seems logical. We use mostly TP Link routers around the network and behind the 321 query IP Address is a cluster of them and a hand check of the addresses in the list indicates they are TP Link devices as well. I will try set our reference router up in the lab and run a test against it to confirm.

Not sure if this analysis is helpful but is interesting to me and would be good to know the purpose of this query (possibly a keep alive packet flow or a test for connectivity) and while it isn’t a load issue too much for me (it can just be fulfilled by the root hints file) it did seem like a query that was sitting out of place as such a large part of my query load against my server (thanks DNStop). but for tracking purposes maybe I should create two interfaces (one for remote resolution and one for addressing internal queries).

> 
> So long
> -Ralf
> 

Regards
Alexander

Alexander Neilson
Neilson Productions Limited

alexander at neilson.net.nz
+64 21 329 681
+64 22 456 2326