[162949] in North American Network Operators' Group
Re: Open Resolver List, New Orleans, etc..
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu May 9 20:32:22 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <Pine.LNX.4.61.1305091926530.17328@soloth.lewis.org>
Date: Thu, 9 May 2013 20:32:03 -0400
To: Jon Lewis <jlewis@lewis.org>
Cc: "nanog@nanog.org Group" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On May 9, 2013, at 7:32 PM, Jon Lewis <jlewis@lewis.org> wrote:
> On Thu, 9 May 2013, Jared Mauch wrote:
>=20
>> Some interesting data: about 46% of the IPs that respond to a DNS =
query do not respond from port 53, meaning they are "broken" in some =
interesting way.
>=20
> Maybe I'm not being very imaginative, but how can something from !53 =
be considered a DNS response to a query sent to port 53? Can you give =
some examples of the sorts of packets that fall into this rather large % =
of ill-behaved hosts? Are you sure you're not treating things like icmp =
port unreachable as a "!udp/53 src response"?
IP1:Port:IP-Probed:Responding-IP:time_t:RCODE:RA:CorrectAnswerInPacket
Here's a sample excerpt:
IP1:14474:122.177.40.2:NULL:1367712184.690540:0:1:1
IP1:10316:123.26.39.2:NULL:1367712184.690683:0:1:1
IP1:15218:5.11.41.2:NULL:1367712184.691114:0:1:1
IP1:21388:186.31.41.2:NULL:1367712184.691402:0:1:1
IP1:11161:87.21.41.2:NULL:1367712184.691693:0:1:1
IP1:23884:88.249.40.2:NULL:1367712184.692264:0:1:1
IP1:12707:77.51.41.2:NULL:1367712184.692833:0:1:1
IP1:16290:190.86.41.2:NULL:1367712184.693118:0:1:1
IP1:10169:151.48.41.2:NULL:1367712184.694703:0:1:1
IP1:20885:112.209.40.2:NULL:1367712184.694992:0:1:1
I have the raw packet data for these. They were on a UDP socket, not =
some tcpdump output parsing snafu=85 :)
I have many more of these in the dataset. I'm thinking about flagging =
those that aren't from udp/53 and giving a pointer to things like CPE =
device firmware that causes problem. I've got a lot of private data on =
that which I can't share, either because the vendor is delivering fixed =
firmware or something else.
- Jared=
