[dns-operations] R: dns-operationsI: IP change for b.root-servers.net not effective?

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Oct 24 18:40:45 UTC 2017


On Tue, Oct 24, 2017 at 04:43:27PM +0000,
 Costantino Andrea (Con) <andrea.costantino at h3g.it> wrote 
 a message of 291 lines which said:

> Yes, I confirm..

Don't forget that name servers, specially anycasted name servers, are
often "shadowed" by rogue servers, when an ISP injects a route in its
IGP.

Using NSID (message from Wes Hardaker) is often a good heuristic to
spot them, since the rogue server typically don't bother to send back
a correct NSID response.

For instance, RIPE Atlas probes 20778, 22780, 24749, 25652, 25669,
25818, and 32947 all see an answer 192.228.79.201 when they query
199.9.14.201 about b.root-servers.net's IPv4 address. In all these
cases, the answer is not accompanied by a NSID, showing there is a
rogue server (or a transparent DNS proxy redirecting to a resolver).

Probes 17706, 29748, 30356, 31735, and 32895 see the correct answer
but no NSID: rogue server, or middebox stripping NSID option.



More information about the dns-operations mailing list