Full Disclosure mailing list archives
Re: FW: Question for DNS pros
From: Mark <fd () mchsi com>
Date: Tue, 03 Aug 2004 23:40:19 -0500
John Hall wrote:
Responses in-line... Frank Knobbe wrote:Hello John, glad to see you guys are keeping up with all the current stuff going on in lists ;) I had sent a dump earlier. It is attached again below. The TCP SYNpackets do indeed start with IPID 1 and move up to 3.
Yup, the TCP SYN packets I see do the same with the IPID. (Embarrassed I missed that the first time I looked at them.) ;)
However, these all come from the same IP address. Also, there doesn't appear to be anything in regards to "round-trip". I mean, your devices send the SYN's but nothing is coming back. Are you expecting DNS querying device to have anopen DNS port on TCP and are expecting a SYN-ACK?No, but most DNS servers *will* respond with a RST which is just as valuable for reachability and RTT measurements. We accept either response.
I disagree, if it is a DNS *server* I would think it wouldn't respond with a RST. It would respond with a SERV FAIL because it's not authoritative for that domain.
That I can understand. But what the heck is the purpose of performing two DNS queries against the host that is querying a 3DNS balanced server? Seems a bit invasive to me for measuring trip time... :)
Agreed Frank, why would they bother asking in the first place? How do you even know you are asking a DNS server? It could just be a mis-configured client. It would seem to me that would only provide you with the quickest way to query what may or may not be a DNS server that may or may not be authoritative for a domain.
In general, most sites use local forwarding DNS servers that do the recursive lookups for all the clients at that site, so our probes measure the RTT from each datacenter to that forwarding DNS server and maintain that data so we can make intelligent decisions the next time a client from that site (via that local forwarder) makes a request.In any case. I'm glad to see that there is a normal explanation for this, and this does not appear to be an attack mounted by China.
Although I think we may have resolved the issue of what is causing those strange packets... I would like to see a whitepaper or something describing how this technique improves the performance of, well; anything.
The above paragraph is off topic. E-Mail me off list if you want to discuss that topic further.
Regards, Mark _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: FW: Question for DNS pros, (continued)
- Re: FW: Question for DNS pros grutz (Aug 03)
- Re: FW: Question for DNS pros John Hall (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros John Hall (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Ron DuFresne (Aug 03)
- Re: FW: Question for DNS pros John Hall (Aug 04)
- Re: FW: Question for DNS pros John Hall (Aug 04)
- Re: FW: Question for DNS pros Nils Ketelsen (Aug 04)
- Re: FW: Question for DNS pros John Hall (Aug 05)
- Re: FW: Question for DNS pros Mark (Aug 03)
- Re: FW: Question for DNS pros John Hall (Aug 04)
- Re: FW: Question for DNS pros Gary E. Miller (Aug 04)
- Re: FW: Question for DNS pros John Hall (Aug 05)
- Re: FW: Question for DNS pros Gary E. Miller (Aug 05)
- Re: FW: Question for DNS pros Paul Schmehl (Aug 03)