Automatic . NS queries from BIND

Mon Jun 15 19:11:28 UTC 2015

On Mon, Jun 15, 2015 at 3:06 PM, Kevin Oberman <rkoberman at gmail.com> wrote:
> On Mon, Jun 15, 2015 at 5:56 AM, Gaurav Kansal <gaurav.kansal at nic.in> wrote:
>>
>> Dear Team,
>>
>>
>>
>> My caching DNS server is generating log of . NS queries to ROOT Servers.
>>
>> I have a hint file in my bind configuration and the same is up-to date.
>>
>>
>>
>> The same behavior is occurring in multiple versions of BIND (tested on
>> 9.7, 9.9 and on 9.10).
>>
>>
>>
>> It must be for some purpose (may be BIND doesn’t trust hint file and cross
>> check it from root servers).
>>
>> Can anyone put some light on this.
>>
>>
>>
>>
>>
>> Sample tcpdump output :-
>>
>> 15:36:42.440831 IP anydnsmby.27938 > k.root-servers.net.domain:  38907
>> [1au] NS? . (28)
>>
>> 15:36:43.241203 IP anydnsmby.52261 > f.root-servers.net.domain:  3841
>> [1au] NS? . (28)
>>
>> 15:36:43.624041 IP anydnsmby.48889 > k.root-servers.net.domain:  6314
>> [1au] NS? . (28)
>>
>> 15:36:44.424047 IP anydnsmby.65507 > c.root-servers.net.domain:  27973
>> [1au] NS? . (28)
>>
>> 15:37:42.071574 IP anydnsmby.38958 > i.root-servers.net.domain:  53519
>> [1au] NS? 117.240.177.150. (44)
>>
>> 15:40:11.121122 IP anydnsmby.7941 > i.root-servers.net.domain:  62400
>> [1au] NS? 1.mr. (33)
>>
>> 15:45:52.780062 IP anydnsmby.49432 > e.root-servers.net.domain:  54241+
>> [1au] NS? . (28)
>>
>> 15:45:59.341780 IP anydnsmby.34368 > e.root-servers.net.domain:  55928+
>> [1au] NS? . (28)
>>
>> 15:46:04.487088 IP anydnsmby.35621 > e.root-servers.net.domain:  7266+
>> [1au] NS? . (28)
>>
>> 15:46:35.453029 IP anydnsmby.62875 > i.root-servers.net.domain:  4129
>> [1au] NS? comp-HP. (36)
>>
>> 16:16:13.747955 IP anydnsmby.39690 > a.root-servers.net.domain:  8774+
>> [1au] NS? . (28)
>>
>> 16:16:20.845363 IP anydnsmby.36994 > e.root-servers.net.domain:  63433+
>> [1au] NS? . (28)
>>
>> 16:16:36.746049 IP anydnsmby.42878 > a.root-servers.net.domain:  48439+
>> [1au] NS? . (28)
>>
>> 16:16:42.060534 IP anydnsmby.41018 > j.root-servers.net.domain:  5347+
>> [1au] NS? . (28)
>>
>> 16:16:49.081649 IP anydnsmby.53661 > e.root-servers.net.domain:  54768+
>> [1au] NS? . (28)
>>
>> 16:51:14.034065 IP anydnsmby.38025 > k.root-servers.net.domain:  52771
>> [1au] NS? 116.73.202.141. (43)
>>
>> 16:51:14.835539 IP anydnsmby.19616 > i.root-servers.net.domain:  14926
>> [1au] NS? 116.73.202.141. (43)
>>
>> 17:25:16.706395 IP anydnsmby.58045 > i.root-servers.net.domain:  30880
>> [1au] NS? 2.mr. (33)
>>
>> 17:25:16.707072 IP anydnsmby.38495 > i.root-servers.net.domain:  43451
>> [1au] NS? 6.mr. (33)
>>
>> 17:25:16.707989 IP anydnsmby.35834 > i.root-servers.net.domain:  61843
>> [1au] NS? 3.mr. (33)
>>
>> 17:56:44.855060 IP anydnsmby.61903 > a.root-servers.net.domain:  23284
>> [1au] NS? 172.192.168.2. (42)
>>
>>
>>
>> Regards,
>>
>> Gaurav Kansal
>>
>>
>
> Bind has never trusted your hints file. (OK, I can't swear to v4.x of BIND,
> even though I did use 4.3 a very long time ago.)
>
> The file is called a hints file as it is used only to provide a starting
> place for your named to find the root. It's really not even needed in most
> cases as BIND now has a built-in set of hints that are used in the absence
> of a hints file. Yo0u really only need a hits file if you are using a
> non-standard (usually internal) root.
>
> Once named "finds" a responsive root from either its internal list or from
> the hints file, the hints are ignored. It gets a copy of the root zone and
> starts to figure out the fastest one for normal use. Periodically it will
> retry other root servers to make sure that it is always using a reasonably
> fast responding one. I'll admit to being unfamiliar with the algorithm used
> to make these periodic checks.


Yah, as Kevin says, this is normal -- for more details:
https://tools.ietf.org/html/draft-ietf-dnsop-resolver-priming-05

W


> --
> Kevin Oberman, Network Engineer, Retired
> E-mail: rkoberman at gmail.com
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf