Automatic . NS queries from BIND
Kevin Oberman
rkoberman at gmail.com
Mon Jun 15 19:06:02 UTC 2015
On Mon, Jun 15, 2015 at 5:56 AM, Gaurav Kansal <gaurav.kansal at nic.in> wrote:
> Dear Team,
>
>
>
> My caching DNS server is generating log of . NS queries to ROOT Servers.
>
> I have a hint file in my bind configuration and the same is up-to date.
>
>
>
> The same behavior is occurring in multiple versions of BIND (tested on
> 9.7, 9.9 and on 9.10).
>
>
>
> It must be for some purpose (may be BIND doesn’t trust hint file and cross
> check it from root servers).
>
> Can anyone put some light on this.
>
>
>
>
>
> *Sample tcpdump output :-*
>
> 15:36:42.440831 IP anydnsmby.27938 > k.root-servers.net.domain: 38907
> [1au] NS? . (28)
>
> 15:36:43.241203 IP anydnsmby.52261 > f.root-servers.net.domain: 3841
> [1au] NS? . (28)
>
> 15:36:43.624041 IP anydnsmby.48889 > k.root-servers.net.domain: 6314
> [1au] NS? . (28)
>
> 15:36:44.424047 IP anydnsmby.65507 > c.root-servers.net.domain: 27973
> [1au] NS? . (28)
>
> 15:37:42.071574 IP anydnsmby.38958 > i.root-servers.net.domain: 53519
> [1au] NS? 117.240.177.150. (44)
>
> 15:40:11.121122 IP anydnsmby.7941 > i.root-servers.net.domain: 62400
> [1au] NS? 1.mr. (33)
>
> 15:45:52.780062 IP anydnsmby.49432 > e.root-servers.net.domain: 54241+
> [1au] NS? . (28)
>
> 15:45:59.341780 IP anydnsmby.34368 > e.root-servers.net.domain: 55928+
> [1au] NS? . (28)
>
> 15:46:04.487088 IP anydnsmby.35621 > e.root-servers.net.domain: 7266+
> [1au] NS? . (28)
>
> 15:46:35.453029 IP anydnsmby.62875 > i.root-servers.net.domain: 4129
> [1au] NS? comp-HP. (36)
>
> 16:16:13.747955 IP anydnsmby.39690 > a.root-servers.net.domain: 8774+
> [1au] NS? . (28)
>
> 16:16:20.845363 IP anydnsmby.36994 > e.root-servers.net.domain: 63433+
> [1au] NS? . (28)
>
> 16:16:36.746049 IP anydnsmby.42878 > a.root-servers.net.domain: 48439+
> [1au] NS? . (28)
>
> 16:16:42.060534 IP anydnsmby.41018 > j.root-servers.net.domain: 5347+
> [1au] NS? . (28)
>
> 16:16:49.081649 IP anydnsmby.53661 > e.root-servers.net.domain: 54768+
> [1au] NS? . (28)
>
> 16:51:14.034065 IP anydnsmby.38025 > k.root-servers.net.domain: 52771
> [1au] NS? 116.73.202.141. (43)
>
> 16:51:14.835539 IP anydnsmby.19616 > i.root-servers.net.domain: 14926
> [1au] NS? 116.73.202.141. (43)
>
> 17:25:16.706395 IP anydnsmby.58045 > i.root-servers.net.domain: 30880
> [1au] NS? 2.mr. (33)
>
> 17:25:16.707072 IP anydnsmby.38495 > i.root-servers.net.domain: 43451
> [1au] NS? 6.mr. (33)
>
> 17:25:16.707989 IP anydnsmby.35834 > i.root-servers.net.domain: 61843
> [1au] NS? 3.mr. (33)
>
> 17:56:44.855060 IP anydnsmby.61903 > a.root-servers.net.domain: 23284
> [1au] NS? 172.192.168.2. (42)
>
>
>
> Regards,
>
> Gaurav Kansal
>
>
Bind has never trusted your hints file. (OK, I can't swear to v4.x of BIND,
even though I did use 4.3 a very long time ago.)
The file is called a hints file as it is used only to provide a starting
place for your named to find the root. It's really not even needed in most
cases as BIND now has a built-in set of hints that are used in the absence
of a hints file. Yo0u really only need a hits file if you are using a
non-standard (usually internal) root.
Once named "finds" a responsive root from either its internal list or from
the hints file, the hints are ignored. It gets a copy of the root zone and
starts to figure out the fastest one for normal use. Periodically it will
retry other root servers to make sure that it is always using a reasonably
fast responding one. I'll admit to being unfamiliar with the algorithm used
to make these periodic checks.
--
Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150615/26faf4e9/attachment.html>
More information about the bind-users
mailing list