# 1924, Tue 22 May 01 (PST) # # dns-root.srl: DNS response to root nameservers # # Nevil Brownlee, CAIDA | The University of Auckland define DNS = 53; # defines from flowhash.h define PP_ICMP_ECHO = 1; # Packet-Pairs for TurnaroundTimes define PP_UDP_DNS = 11; define PP_TCP = 192; # 0xC0 plus low-order bits as follows .. define PP_OK_SYNACK = 1; # ->SYN, <-SYN+ACK pairs define PP_OK_SYNRST = 2; # ->SYN, <-SYN+RST pairs define PP_OK_MULTI = 8; # ->DATA, <-ACK for more than one packet define PP_OK_SINGLE = 16; # ->DATA, <-ACK 'lone' packet define PP_OK_INGROUP = 32; # ->DATA, <-ACK single packet in a group # *.root-servers.net define A_ROOT = 198.41.0.4/32; # NSI, Herndon, Va define B_ROOT = 128.9.0.107/32; # ISI, USC, Ca define C_ROOT = 192.33.4.12/32; # PSI, Herndon, Va define D_ROOT = 128.8.10.90/32; # U Maryland, Md define E_ROOT = 192.203.230.10/32; # NASA Ames, Ca define F_ROOT = 192.5.5.241/32; # ISC, Palo Alto (NetBlk MIBH), Ca define G_ROOT = 192.112.36.4/32; # DoD NIC, Chantilly, Va define H_ROOT = 128.63.2.53/32; # ABRL, Abdereen, Md define I_ROOT = 192.36.148.17/32; # KTH, Stockholm define J_ROOT = 198.41.0.10/32; # NSI, Herndon, Va define K_ROOT = 193.0.14.129/32; # RIPE NCC, Amsterdam define L_ROOT = 198.32.64.12/32; # IX blocks (Bill Manning, ISI), Ca define M_ROOT = 202.12.27.33/32; # WIDE, Tokyo # *.gtld-servers.net define A_GTLD_OLD = 198.41.3.38/32; # NSI, Herndon #define B_GTLD_OLD = 203.181.106.5/32; # kdd, JPNIC-NET-JP define C_GTLD_OLD = 205.188.185.18/32; # AOL define D_GTLD_OLD = 208.206.240.5/32; # Verisign #define E_GTLD_OLD = 207.200.81.69/32; # NetScape define F_GTLD_OLD = 198.17.208.67/32; # internic-pao define G_GTLD_OLD = 198.41.3.101/32; # NSI, Herndon define H_GTLD_OLD = 216.33.75.82/32; # Exodus, Ca #define I_GTLD_OLD = 192.36.144.133/32; # D-GIX, Stockholm #define J_GTLD_OLD = 210.132.100.101/32; # kdd, JPNIC-NET-JP #define K_GTLD_OLD = 213.177.194.5/32; # GTS-NSI-UK1 #define L_GTLD_OLD = 0/32; # not yet allocated #define M_GTLD_OLD = 202.153.114.101/32; # NSI-1 Hong Kong # From 4 Mar 2001 (Verisign Global Registry Services) define A_GTLD = 192.5.6.30/32; # NSI, Herndon define B_GTLD = 203.181.106.5/32; # kdd, JPNIC-NET-JP define C_GTLD = 192.26.92.30/32; # AOL define D_GTLD = 192.31.80.30/32; # Verisign define E_GTLD = 207.200.81.69/32; # NetScape define F_GTLD = 192.35.51.30/32; # internic-pao define G_GTLD = 192.42.93.30/32; # NSI, Herndon define H_GTLD = 0/32; # Not allocated define I_GTLD = 192.36.144.133/32; # D-GIX, Stockholm define J_GTLD = 210.132.100.101/32; # kdd, JPNIC-NET-JP define K_GTLD = 213.177.194.5/32; # GTS-NSI-UK1 define L_GTLD = 192.41.162.30/32; # Verisgin, Dulles, Va define M_GTLD = 202.153.114.101/32; # NSI-1 Hong Kong # Nominum DNS servers define NOM_A1 = 198.133.199.1/32; # gns1.nominum.com anycast define NOM_A2 = 198.133.199.2/32; # gns2.nominum.com anycast define NOM_P1 = 128.177.209.146/32; # dns-02 (ibm netfinity, Washington DC) define NOM_P2 = 128.177.209.150/32; # dns-12 (sun netra, Washington DC) define NOM_P3 = 128.177.209.18/32; # dns-01 (ibm netfinity, Palo Alto CA) define NOM_P4 = 128.177.209.22/32; # dns-11 (sun netra, Palo Alto CA) define NOM_P5 = 128.177.209.82/32; # dns-00 (ibm netfinity, Redwood City CA) define NOM_P6 = 128.177.209.86/32; # dns-10 (sun netra, Redwood City CA) define TestDestAddress = # Caution: must \; to get semicolons in define text if DestPeerAddress == A_ROOT { store FlowKind := 1\; store FlowClass := 0\; } else if DestPeerAddress == B_ROOT { store FlowKind := 2\; store FlowClass := 0\; } else if DestPeerAddress == C_ROOT { store FlowKind := 3\; store FlowClass := 0\; } else if DestPeerAddress == D_ROOT { store FlowKind := 4\; store FlowClass := 0\; } else if DestPeerAddress == E_ROOT { store FlowKind := 5\; store FlowClass := 0\; } else if DestPeerAddress == F_ROOT { store FlowKind := 6\; store FlowClass := 0\; } else if DestPeerAddress == G_ROOT { store FlowKind := 7\; store FlowClass := 0\; } else if DestPeerAddress == H_ROOT { store FlowKind := 8\; store FlowClass := 0\; } else if DestPeerAddress == I_ROOT { store FlowKind := 9\; store FlowClass := 0\; } else if DestPeerAddress == J_ROOT { store FlowKind := 10\; store FlowClass := 0\; } else if DestPeerAddress == K_ROOT { store FlowKind := 11\; store FlowClass := 0\; } else if DestPeerAddress == L_ROOT { store FlowKind := 12\; store FlowClass := 0\; } else if DestPeerAddress == M_ROOT { store FlowKind := 13\; store FlowClass := 0\; } else if DestPeerAddress == A_GTLD || DestPeerAddress == A_GTLD_OLD { store FlowKind := 1\; store FlowClass := 1\; } else if DestPeerAddress == B_GTLD { store FlowKind := 2\; store FlowClass := 1\; } else if DestPeerAddress == C_GTLD || DestPeerAddress == C_GTLD_OLD { store FlowKind := 3\; store FlowClass := 1\; } else if DestPeerAddress == D_GTLD || DestPeerAddress == D_GTLD_OLD { store FlowKind := 4\; store FlowClass := 1\; } else if DestPeerAddress == E_GTLD { store FlowKind := 5\; store FlowClass := 1\; } else if DestPeerAddress == F_GTLD || DestPeerAddress == F_GTLD_OLD { store FlowKind := 6\; store FlowClass := 1\; } else if DestPeerAddress == G_GTLD || DestPeerAddress == G_GTLD_OLD { store FlowKind := 7\; store FlowClass := 1\; } else if DestPeerAddress == H_GTLD || DestPeerAddress == H_GTLD_OLD { store FlowKind := 8\; store FlowClass := 1\; } else if DestPeerAddress == I_GTLD { store FlowKind := 9\; store FlowClass := 1\; } else if DestPeerAddress == J_GTLD { store FlowKind := 10\; store FlowClass := 1\; } else if DestPeerAddress == K_GTLD { store FlowKind := 11\; store FlowClass := 1\; } else if DestPeerAddress == L_GTLD { store FlowKind := 12\; store FlowClass := 1\; } else if DestPeerAddress == M_GTLD { store FlowKind := 13\; store FlowClass := 1\; } else if DestPeerAddress == NOM_A1 { store FlowKind := 1\; store FlowClass := 2\; } else if DestPeerAddress == NOM_A2 { store FlowKind := 2\; store FlowClass := 2\; } else if DestPeerAddress == NOM_P1 { store FlowKind := 3\; store FlowClass := 2\; } else if DestPeerAddress == NOM_P2 { store FlowKind := 4\; store FlowClass := 2\; } else if DestPeerAddress == NOM_P3 { store FlowKind := 5\; store FlowClass := 2\; } else if DestPeerAddress == NOM_P4 { store FlowKind := 6\; store FlowClass := 2\; } else if DestPeerAddress == NOM_P5 { store FlowKind := 7\; store FlowClass := 2\; } else if DestPeerAddress == NOM_P6 { store FlowKind := 8\; store FlowClass := 2\; } else store FlowKind := 0; define UCSD_SUB = 132.239/16; define UCSD_EXTRN = 137.110/16; define UCSD_CERF = 199.105.0/18; define CAIDA = 192.172.226/24; define SDSC_APOLLO = 192.31.21/24; define SDSCNET_CBLK = 198.202.64/18; # Salk Institute define UCSD = 128.54/16; define MPL106 = 192.135.237/24; define MPL4 = 192.135.238/24; define SDSC2 = 132.249/16; define SCRIPPSNET_BIG = 137.131/16; # Scripps Research Institute define HYPERNET = 153.105/16; # Dimension Systems, Poway define NET_NSI = 198.133.185/24; # Neurosciences institute define SDSCFDDIDMZ = 198.17.46/24; define UCSD_NETS = UCSD, UCSD_SUB, UCSD_EXTRN, MPL106, MPL4, UCSD_CERF; define SDSC_NETS = SDSC2, SCRIPPSNET_BIG, HYPERNET, SDSC_APOLLO, CAIDA, SDSCFDDIDMZ, SDSCNET_CBLK, NET_NSI; #define SOURCE_NETS = UCSD_NETS, SDSC_NETS; define SOURCE_NETS = UCSD_SUB, # 132.239/16 UCSD_EXTRN, # 137.110/16 UCSD_CERF; # 199.105.0/18 optimise 3; if SourcePeerType == IPv4 save; else ignore; # Not IP if SourceTransType == UDP save; else ignore; # Not UDP TestDestAddress; # Sets FlowKind if FlowKind == 0 nomatch; # Not a root nameserver else { if DestTransAddress == DNS save; # Avoid 'match on non_DNS flow' msg else ignore; # Not going to DNS port (shouldn't happen for roots) if SourcePeerAddress == (SOURCE_NETS) { # if SourcePeerAddress == (SOURCE_NETS) save, { save ToTurnaroundTime1 = 50.11.0!0 & 2.3.7!700; # 50 buckets, PP_UDP_DNS, log scale, 10**3 => 7..700 ms count; } } set dns_root_ucsd; format FlowRuleSet FlowIndex FirstTime SourcePeerType SourceTransType " " FlowKind FlowClass # SourcePeerAddress " " ToPDUs FromPDUs " " ToLostPDUs FromLostPDUs " (" ToTurnaroundTime1 ")";