Probes from root servers

John Kristoff jtk at
Fri Jul 17 04:39:23 UTC 2009

On Thu, 16 Jul 2009 15:56:29 -0700
"Pederson, Krishna" <Pederson at> wrote:

> One of our IP addresses is being probed by up to 8 of the 13 root dns
> servers every 15 seconds. I'm looking for input on how to contact the
> admins for the servers or perhaps a way to figure out if perhaps
> someone is spoofing the affected customer IP address, causing the
> root servers to send the following:

Hi Krishna,

You may want to make sure a second set of eyes confirms that these are
not real responses to real queries from If you're certain
there are no outgoing queries that solicit these messages, how about
getting a peek inside those packets? If you can do that, you should
be able to get a better idea of what may be happening.

It is somewhat peculiar that the destination port is 1039 in the 3
flow records you've shown and that you're only seeing packets from 8 of
the 13 root addresses.  Its a clue, but inconclusive. It seems like it
might be legitimate traffic from a resolver that is not doing source
port randomization. Being that its only every 15 seconds that would seem
too slow for an attack against, poisoning or otherwise.
Could be backscatter.  I can't speak for the root ops, but I think they
would prefer you perform a bit more investigation if you can.


More information about the NANOG mailing list