Probes from root servers

Pederson, Krishna Pederson at covad.com
Thu Jul 16 22:56:29 UTC 2009


One of our IP addresses is being probed by up to 8 of the 13 root dns servers every 15 seconds. I'm looking for input on how to contact the admins for the servers or perhaps a way to figure out if perhaps someone is spoofing the affected customer IP address, causing the root servers to send the following:

sh mls netflow ip destination 74.1.32.205 /32 module 2
Displaying Netflow entries in module 2
DstIP           SrcIP           Prot:SrcPort:DstPort  Src i/f          :AdjPtr
-----------------------------------------------------------------------------
Pkts         Bytes         Age   LastSeen  Attributes
---------------------------------------------------
74.1.32.205     193.0.14.129    udp :dns    :1039     Fa2/11           :0x0
0            0             1     22:49:03   L3 - Dynamic
74.1.32.205     202.12.27.33    udp :dns    :1039     Fa2/11           :0x0
0            0             2     22:49:03   L3 - Dynamic
74.1.32.205     192.36.148.17   udp :dns    :1039     Fa2/11           :0x0
0            0             2     22:49:03   L3 - Dynamic


Is it practical to attempt to work the issue with the root server admins or is it quite likely this is spoofing and there's no hope to track this down?

Thanks,
Kris




More information about the NANOG mailing list