[159683] in North American Network Operators' Group
=?utf-8?Q?Re=3A_Intermittent_incorrect_DNS_resolution=3F?=
daemon@ATHENA.MIT.EDU (Erik Levinson)
Thu Jan 17 20:48:25 2013
Date: Thu, 17 Jan 2013 20:48:10 -0500 (EST)
From: "Erik Levinson" <erik.levinson@uberflip.com>
To: "Damian Menscher" <damian@google.com>,
"NANOG mailing list" <nanog@nanog.org>
In-Reply-To: <1358473378.51099764@apps.rackspace.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Upon further investigation, in this particular Google case, it seems to be =
a customer's CNAME to a record of theirs which is an actual A record to our=
old IP, contrary to our instructions (we tell everyone to CNAME us, so we =
can change IPs as we wish, which we've done for the first time this year). =
So there is no Google problem.=0A=0A-----Original Message-----=0AFrom: "Eri=
k Levinson" <erik.levinson@uberflip.com>=0ASent: Thursday, January 17, 2013=
8:42pm=0ATo: "Damian Menscher" <damian@google.com>=0ACc: "NANOG mailing li=
st" <nanog@nanog.org>=0ASubject: Re: Intermittent incorrect DNS resolution?=
=0A=0AThanks Damian. I see four requests with Google UAs from actual Google=
IPs, 66.249.73.45 and 66.249.73.17 (PTR and rwhois seem yours for both), i=
n a period of 30 minutes (compared to over 80 per minute on the new IPs). T=
his is pretty low, so I'm not too worried. =0A=0ABaidu is the main culprit =
now; there's little other traffic. In fact, we're getting no traffic from B=
aidu on the new IPs, only to the old ones. I've already e-mailed their spid=
er help e-mail, but it's fallen on deaf ears.=0A=0AErik=0A=0A-----Original =
Message-----=0AFrom: "Damian Menscher" <damian@google.com>=0ASent: Thursday=
, January 17, 2013 1:58pm=0ATo: "Erik Levinson" <erik.levinson@uberflip.com=
>=0ACc: "NANOG mailing list" <nanog@nanog.org>=0ASubject: Re: Intermittent =
incorrect DNS resolution?=0A=0AOn Wed, Jan 16, 2013 at 8:09 PM, Erik Levins=
on=0A<erik.levinson@uberflip.com>wrote:=0A=0A> To give an idea of the scale=
of the problem right now, I'm getting=0A> thousands of requests per minute=
to a new IP vs. about two requests per=0A> minute on the equivalent old IP=
, with over 60% of the latter being Baidu,=0A> but also a bit of Googlebot =
and other random bot and non-bot UAs.=0A>=0A=0AIt's common for malware to s=
poof the Googlebot user-agent since they know=0Amost webmasters won't block=
it. You might want to check whether the IPs=0Ayou're seeing it from are r=
eally allocated to us -- if so, I'd be=0Ainterested in tracking down why we=
're crawling your old IP.=0A=0ADamian=0A=0A
