Re: DNS servers around here not working for days. dig works. fix?

Tue, 14 Jun 2016 11:32:07 -0700 

Chris Bennett wrote:

$ dig  bsd.org @8.8.4.4 +trace

; <<>> DiG 9.4.2-P2 <<>> bsd.org @8.8.4.4 +trace
;; global options:  printcmd
.                       7197    IN      NS      a.root-servers.net.
.                       7197    IN      NS      b.root-servers.net.
.                       7197    IN      NS      c.root-servers.net.
.                       7197    IN      NS      d.root-servers.net.
.                       7197    IN      NS      e.root-servers.net.
.                       7197    IN      NS      f.root-servers.net.
.                       7197    IN      NS      g.root-servers.net.
.                       7197    IN      NS      h.root-servers.net.
.                       7197    IN      NS      i.root-servers.net.
.                       7197    IN      NS      j.root-servers.net.
.                       7197    IN      NS      k.root-servers.net.
.                       7197    IN      NS      l.root-servers.net.
.                       7197    IN      NS      m.root-servers.net.
;; Received 228 bytes from 8.8.4.4#53(8.8.4.4) in 43 ms

dig: couldn't get address for 'm.root-servers.net': not found
pass ~ $ dig  bsd.org @8.8.8.8 +trace

; <<>> DiG 9.4.2-P2 <<>> bsd.org @8.8.8.8 +trace
;; global options:  printcmd
.                       7157    IN      NS      l.root-servers.net.
.                       7157    IN      NS      j.root-servers.net.
.                       7157    IN      NS      b.root-servers.net.
.                       7157    IN      NS      h.root-servers.net.
.                       7157    IN      NS      i.root-servers.net.
.                       7157    IN      NS      d.root-servers.net.
.                       7157    IN      NS      k.root-servers.net.
.                       7157    IN      NS      g.root-servers.net.
.                       7157    IN      NS      a.root-servers.net.
.                       7157    IN      NS      e.root-servers.net.
.                       7157    IN      NS      m.root-servers.net.
.                       7157    IN      NS      f.root-servers.net.
.                       7157    IN      NS      c.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 44 ms

dig: couldn't get address for 'i.root-servers.net': not found

Chris Bennett
Something is molesting your port 53 traffic. I'd recommend using ssh to tunnel your DNS traffic elsewhere (Set sshd to listen on port 53 on your local machine and redirect that traffic to a trusted machine, then set resolvers to 127.0.0.1). A better solution might be to use unbound and have its traffic pushed through the ssh tunnel so you can use the root servers directly and not have to trust a DNS server owned by an advertising company / obvious collaborator with corrupt governments (8.8.x.x are Google's IPs).
It sounds to me like someone is trying, and failing, to do transparent DPI on your traffic for some reason (Advertising, surveillance, misguided attempts to 'optimize' their networks, or any number of other possibilities). 

-CA

Reply via email to