> I am only seeing this with the B systems at the moment.. and I am
> trying to figure out how I should 'fix' my firewall or backbone DNS
> server to deal with it.
>
> Our campus DNS servers will 'proxy' a request to the backbone DNS
> servers and when it talks to the B servers, we get requests back from
> different IP address from what we sent to (thus our firewall drops it
> as a bad session).
>
> 129.24.8.1.32768 > 192.228.79.201.domain
> 192.228.79.200.domain > 129.24.8.1.32768
> 192.228.79.202.domain > 129.24.8.1.32768
> 192.228.79.201.domain > 129.24.8.1.32768
>
> This really picked up on Saturday when pretty much every send to the
> 192.228.79.201 server got 1 to 2 other returns from b1.ip4.int,
> b2.ip4.int etc.
>
> The only other servers that the firewall seems to be dropping are some
> 'questionable' ones in Romania that showed up over the weekend.


The first thing you need to do is figure out where the
"duplication" is occuring.

As a datapoint, I don't see it from here when talking to
"b2".

15:45:37.180796 220.239.253.18.60656 > 192.228.79.201.53: 36120 TXT CHAOS? hostname.bind. (31)
15:45:37.337522 192.228.79.201.53 > 220.239.253.18.60656: 36120*- 1/1/0 CHAOS TXT b2 (60) (DF)

; <<>> DiG 9.3.3 <<>> hostname.bind txt ch +norec @b.root-servers.net
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36120
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;hostname.bind. CH TXT

;; ANSWER SECTION:
hostname.bind. 0 CH TXT "b2"

;; AUTHORITY SECTION:
hostname.bind. 0 CH NS hostname.bind.

;; Query time: 158 msec
;; SERVER: 192.228.79.201#53(192.228.79.201)
;; WHEN: Mon Feb 26 15:45:37 2007
;; MSG SIZE rcvd: 60


> --
> Stephen J Smoogen. -- CSIRT/Linux System Administrator
> How far that little candle throws his beams! So shines a good deed
> in a naughty world. = Shakespeare. "The Merchant of Venice"

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org