Probes from root servers

bmanning at bmanning at
Fri Jul 17 19:07:24 UTC 2009

On Thu, Jul 16, 2009 at 03:56:29PM -0700, Pederson, Krishna wrote:
> One of our IP addresses is being probed by up to 8 of the 13 root dns servers every 15 seconds. I'm looking for input on how to contact the admins for the servers or perhaps a way to figure out if perhaps someone is spoofing the affected customer IP address, causing the root servers to send the following:
> sh mls netflow ip destination /32 module 2
> Displaying Netflow entries in module 2
> DstIP           SrcIP           Prot:SrcPort:DstPort  Src i/f          :AdjPtr
> -----------------------------------------------------------------------------
> Pkts         Bytes         Age   LastSeen  Attributes
> ---------------------------------------------------
>    udp :dns    :1039     Fa2/11           :0x0
> 0            0             1     22:49:03   L3 - Dynamic
>    udp :dns    :1039     Fa2/11           :0x0
> 0            0             2     22:49:03   L3 - Dynamic
>   udp :dns    :1039     Fa2/11           :0x0
> 0            0             2     22:49:03   L3 - Dynamic
> Is it practical to attempt to work the issue with the root server admins or is it quite likely this is spoofing and there's no hope to track this down?
> Thanks,
> Kris

	i feel confident that you have received one or more private replies, but since 
	this is a recurent complaint, it may be worth the post.

	Root nameservers do not gratuitously send traffic. They respond to queries
	they receive.  based on the information above, has sent a query
	to the roots and they are responding as they should.

	if this is unwanted/undesired, you need to look at the source of the query,
	not the site responding to the request for information.  the root server ops
	will have no way to evaluate if the packets they receive are spoofed.

	one way to contact the root server operators is via email:
			comments at


More information about the NANOG mailing list