[dns-operations] R: dns-operationsI: IP change for b.root-servers.net not effective?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Oct 24 18:40:45 UTC 2017
On Tue, Oct 24, 2017 at 04:43:27PM +0000,
Costantino Andrea (Con) <andrea.costantino at h3g.it> wrote
a message of 291 lines which said:
> Yes, I confirm..
Don't forget that name servers, specially anycasted name servers, are
often "shadowed" by rogue servers, when an ISP injects a route in its
IGP.
Using NSID (message from Wes Hardaker) is often a good heuristic to
spot them, since the rogue server typically don't bother to send back
a correct NSID response.
For instance, RIPE Atlas probes 20778, 22780, 24749, 25652, 25669,
25818, and 32947 all see an answer 192.228.79.201 when they query
199.9.14.201 about b.root-servers.net's IPv4 address. In all these
cases, the answer is not accompanied by a NSID, showing there is a
rogue server (or a transparent DNS proxy redirecting to a resolver).
Probes 17706, 29748, 30356, 31735, and 32895 see the correct answer
but no NSID: rogue server, or middebox stripping NSID option.
More information about the dns-operations
mailing list