> On 7/01/2015, at 7:31 pm, Ralf Weber <[email protected]> wrote: > > Moin! > >> On 04 Jan 2015, at 11:44, Alexander Neilson <[email protected]> wrote: >> >> >> Now it may be something inside the network that specifically asks for a >> resolution of or against a.root-servers.net but I am seeing 11% of queries >> for a. and nothing in the top lists for any other root server. > Are you seeing recursions that cause the server to go to a.root-servers.net > or do you see client queries for a.root-servers.net? The latter is something > very common and probably caused by some misconfigured software, but so far > nobody has told me which software.
I am seeing them as queries from customers. Seems to be a very even spread of requests. Over 15 minutes I captured 12,472 requests for DNS resolution from customers for a.root-servers.net A record. 378 different customer IP’s with between 27 and 38 requests each. and clusters at each level. So far I cannot see anything that indicates its linked to the customer requests (because I would expect a greater variation in the number of requests per customer in that case) I am seeing a lot of them (9,997) with Transaction ID of 0x04d2. This seems to be something odd (but again I still need to learn a lot more about the decisions implementations make with their queries) but it gives me a feeling of a hard coded request. Two of the IP’s that sourced the queries had 126, and 321 queries respectively. I am still investigating the 126 query as the user doesn’t have a large amount of traffic used so no explanation as to why the query count is so high. The other is a small stub network that is Natted so that would explain the larger count and helps me with my supposition. I believe this may be a hard coded query from TP Link routers (only supposition at this point) but it seems logical. We use mostly TP Link routers around the network and behind the 321 query IP Address is a cluster of them and a hand check of the addresses in the list indicates they are TP Link devices as well. I will try set our reference router up in the lab and run a test against it to confirm. Not sure if this analysis is helpful but is interesting to me and would be good to know the purpose of this query (possibly a keep alive packet flow or a test for connectivity) and while it isn’t a load issue too much for me (it can just be fulfilled by the root hints file) it did seem like a query that was sitting out of place as such a large part of my query load against my server (thanks DNStop). but for tracking purposes maybe I should create two interfaces (one for remote resolution and one for addressing internal queries). > > So long > -Ralf > Regards Alexander Alexander Neilson Neilson Productions Limited [email protected] +64 21 329 681 +64 22 456 2326 _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
