Stephen John Smoogen wrote:
> I am only seeing this with the B systems at the moment.. and I am
> trying to figure out how I should 'fix' my firewall or backbone DNS
> server to deal with it.
>
> Our campus DNS servers will 'proxy' a request to the backbone DNS
> servers and when it talks to the B servers, we get requests back from
> different IP address from what we sent to (thus our firewall drops it
> as a bad session).
>
> 129.24.8.1.32768 > 192.228.79.201.domain
> 192.228.79.200.domain > 129.24.8.1.32768
> 192.228.79.202.domain > 129.24.8.1.32768
> 192.228.79.201.domain > 129.24.8.1.32768
>
> This really picked up on Saturday when pretty much every send to the
> 192.228.79.201 server got 1 to 2 other returns from b1.ip4.int,
> b2.ip4.int etc.
>
> The only other servers that the firewall seems to be dropping are some
> 'questionable' ones in Romania that showed up over the weekend.
>
>



No wonder:

128.9.0.0 isi-net.isi.edu
128.9.0.107 ns1.isi.edu b.root-servers.net.old
128.9.128.127 NS.ISI.EDU
128.9.176.32 VENERA.ISI.EDU

soa("um","2006120106","FLAG.EP.NET","198.32.4.13").
error("um","VENERA.ISI.EDU","128.9.176.32","no response").
soa("um","2006120106","NS.ISI.EDU","128.9.128.127").
error("um","NS.UU.NET","137.39.1.3","no soa").

First they featherd and tarred the .um TLD
Now they try to do the same the root

host_name("192.228.79.200","b1.ip4.int").
host_name("192.228.79.201","b.root-servers.net").
host_name("192.228.79.202","b2.ip4.int").
host_name("192.228.79.203","b3.ip4.int").
host_name("192.228.79.204","b4.ip4.int").

Since they moved the b.root-servers.net to its new ip,
they are living behind a load balancer.

When one of them is busy the answer might reach more
than one of them. When the sleepy one sends its answer
the load balancer does not know what to do with it
and lets it out without NATting its ip-address.

Looks like anycast - but it isn't.

Best cure would be to have a copy of b.root-servers.net
behind your firewall. Bind slave mode.

Bind will connect b.root-servers.net via tcp,
twice per day and there will go no other queries to
to the root-servers. There will come no more answers.


Cheers
Peter and Karin

--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher-Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter@peter-dambier.de
mail: peter@echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/