Delegation problem ??
Brad Knowles
brad.knowles at skynet.be
Mon Oct 1 14:54:23 UTC 2001
At 11:15 AM +0200 10/1/01, Raphaël Berghmans wrote:
> We've got a domain : irisnet.be, and we delegate a sub-domain:
> arp.irisnet.be.
>
> The parent and the child are properly configured, but the parent send
> very often to his child a request. The output of tcpdump:
>
> 11:00:24.007336 ns.irisnet.be.domain > dns.arp.irisnet.be.domain: 29049 (32)
> 11:01:36.007342 ns.irisnet.be.domain > dns.arp.irisnet.be.domain: 9183 (32)
> 11:03:47.007362 ns.irisnet.be.domain > dns.arp.irisnet.be.domain: 33079 (38)
> 11:04:45.007327 ns.irisnet.be.domain > dns.arp.irisnet.be.domain: 30180 (32)
> 11:05:23.007349 ns.irisnet.be.domain > dns.arp.irisnet.be.domain: 56829 (39)
> 11:07:01.007326 ns.irisnet.be.domain > dns.arp.irisnet.be.domain: 1794 (31)
> 11:11:27.007336 ns.irisnet.be.domain > dns.arp.irisnet.be.domain: 52533 (38)
> 11:13:14.007327 ns.irisnet.be.domain > dns.arp.irisnet.be.domain: 32005 (32)
> 11:14:51.007326 ns.irisnet.be.domain > dns.arp.irisnet.be.domain: 39799 (32)
> 11:14:54.007327 ns.irisnet.be.domain > dns.arp.irisnet.be.domain: 40832 (39)
>
> Could you please tell why ?
Hmm. It's hard to say, not knowing what the contents of these
packets are. Doing some general debugging on your domains turns up a
heck of a lot of problems, however:
% doc -v irisnet.be
Doc-2.2.3: doc -v irisnet.be
Doc-2.2.3: Starting test of irisnet.be. parent is be.
Doc-2.2.3: Test date - Mon Oct 1 10:27:00 EDT 2001
soa @auth02.ns.uu.net. for be. has serial: 2001100100
soa @dns.cs.kuleuven.ac.be. for be. has serial: 2001100100
soa @master.dns.be. for be. has serial: 2001100100
soa @ns.belnet.be. for be. has serial: 2001100100
soa @ns.eu.net. for be. has serial: 2001100100
soa @secdns.eunet.be. for be. has serial: 2001100100
soa @sunic.sunet.se. for be. has serial: 2001100100
SOA serial #'s agree for be. domain
Found 3 NS and 3 glue records for irisnet.be. @auth02.ns.uu.net. (non-AUTH)
Found 3 NS and 3 glue records for irisnet.be. @dns.cs.kuleuven.ac.be.
(non-AUTH)
Found 3 NS and 3 glue records for irisnet.be. @master.dns.be. (non-AUTH)
Found 4 NS and 4 glue records for irisnet.be. @ns.belnet.be. (AUTH)
Found 3 NS and 3 glue records for irisnet.be. @ns.eu.net. (non-AUTH)
Found 3 NS and 3 glue records for irisnet.be. @secdns.eunet.be. (non-AUTH)
Found 3 NS and 3 glue records for irisnet.be. @sunic.sunet.se. (non-AUTH)
DNServers for be.
=== 1 were also authoritatve for irisnet.be.
=== 6 were non-authoritative for irisnet.be.
Servers for be. (not also authoritative for irisnet.be.)
=== agree on NS records for irisnet.be.
ERROR: NS list for irisnet.be. from parent servers differ
=== authoritative disagree with those not AUTH for irisnet.be.
*** irisnet.be..ns.auth02.ns.uu.net. Mon Oct 1 10:27:02 2001
--- irisnet.be..ns.ns.belnet.be. Mon Oct 1 10:27:02 2001
***************
*** 1,3 ****
--- 1,4 ----
dns.irisnet.be.
ns.belnet.be.
+ ns.dns.be.
ns.irisnet.be.
NS list summary for irisnet.be. from parent (be.) servers
== dns.irisnet.be. ns.belnet.be. ns.dns.be.
== ns.irisnet.be.
soa @dns.irisnet.be. for irisnet.be. serial: 2001092501
soa @ns.belnet.be. for irisnet.be. serial: 2001092501
soa @ns.dns.be. for irisnet.be. serial:
ERROR: no SOA record for irisnet.be. from ns.dns.be.
soa @ns.irisnet.be. for irisnet.be. serial: 2001092501
SOA serial #'s agree for irisnet.be.
Authoritative domain (irisnet.be.) servers agree on NS for irisnet.be.
NS list from irisnet.be. authoritative servers matches list from
=== parent (be.) servers also authoritative for irisnet.be.
Checking 2 potential addresses for hosts at irisnet.be.
== 195.244.170.4 193.190.164.4
in-addr PTR record found for 195.244.170.4
in-addr PTR record found for 193.190.164.4
Summary:
ERRORS found for irisnet.be. (count: 2)
Done testing irisnet.be. Mon Oct 1 10:27:05 EDT 2001
% doc -v arp.irisnet.be
Doc-2.2.3: doc -v arp.irisnet.be
Doc-2.2.3: Starting test of arp.irisnet.be. parent is irisnet.be.
Doc-2.2.3: Test date - Mon Oct 1 10:28:47 EDT 2001
soa @dns.irisnet.be. for irisnet.be. has serial: 2001092501
soa @ns.belnet.be. for irisnet.be. has serial: 2001092501
soa @ns.irisnet.be. for irisnet.be. has serial: 2001092501
SOA serial #'s agree for irisnet.be. domain
Found 1 NS and 1 glue records for arp.irisnet.be. @dns.irisnet.be. (non-AUTH)
Found 1 NS and 1 glue records for arp.irisnet.be. @ns.belnet.be. (non-AUTH)
Found 1 NS and 1 glue records for arp.irisnet.be. @ns.irisnet.be. (AUTH)
DNServers for irisnet.be.
=== 1 were also authoritatve for arp.irisnet.be.
=== 2 were non-authoritative for arp.irisnet.be.
Servers for irisnet.be. (not also authoritative for arp.irisnet.be.)
=== agree on NS records for arp.irisnet.be.
NS lists for arp.irisnet.be. from all irisnet.be. servers are identical
=== (both authoritative and non-authoritative for arp.irisnet.be.)
WARNING: ns.irisnet.be. claims authoritative for arp.irisnet.be.
== but no NS record at parent zone
NS list summary for arp.irisnet.be. from parent (irisnet.be.) servers
== dns.arp.irisnet.be.
soa @dns.arp.irisnet.be. for arp.irisnet.be. serial: 20
NS list from arp.irisnet.be. authoritative servers matches list from
=== all parent (irisnet.be.) servers
Checking 1 potential addresses for hosts at arp.irisnet.be.
== 195.244.160.170
in-addr PTR record found for 195.244.160.170
Summary:
WARNINGS issued for arp.irisnet.be. (count: 1)
Done testing arp.irisnet.be. Mon Oct 1 10:28:50 EDT 2001
Using the "dnswalk" tool, I turned up so many errors that I won't
even try to list the entire output here. Let me summarize:
% dnswalk -alF irisnet.be.
Checking irisnet.be.
Getting zone transfer of irisnet.be. from ns.irisnet.be...done.
SOA=ns.irisnet.be contact=rberghmans.cirb.irisnet.be
BAD: irisnet.be NS ns.dns.be: lame NS delegation
WARN: irisnet.be MX smtp.irisnet.be: CNAME (to ns.irisnet.be)
WARN: gaia105-dialup.irisnet.be A 195.244.162.105: no PTR record
WARN: pc253.irisnet.be A 195.244.161.253: no PTR record
WARN: gaia106-dialup.irisnet.be A 195.244.162.106: no PTR record
[ ... deletia ... ]
WARN: gaia103-dialup.irisnet.be A 195.244.162.103: no PTR record
WARN: pc251.irisnet.be A 195.244.161.251: no PTR record
WARN: pc249.irisnet.be A 195.244.161.249: no PTR record
WARN: gaia104-dialup.irisnet.be A 195.244.162.104: no PTR record
WARN: pc252.irisnet.be A 195.244.161.252: no PTR record
0 failures, 497 warnings, 1 errors.
Out of these 497 warnings, you get a total of 370 "no PTR record"
messages, and 125 "MX smtp.irisnet.be: CNAME (to ns.irisnet.be)"
messages. Stripping out those two categories of messages, the
following are left:
BAD: irisnet.be NS ns.dns.be: lame NS delegation
WARN: eic.irisnet.be MX smtp.irisnet.be.irisnet.be: unknown host
WARN: stibtest.irisnet.be MX stibmail2.irisnet.be: unknown host
For the arp.irisnet.be zone, many fewer errors are returned, but
there is a very important mistake that was made in the SOA record:
% dnswalk -alF arp.irisnet.be.Checking arp.irisnet.be.
BAD: arp.irisnet.be. has only one authoritative nameserver
Getting zone transfer of arp.irisnet.be. from dns.arp.irisnet.be...done.
SOA=dns.arp.irisnet.be contact=info at arp.irisnet.be
WARN: SOA contact name (info at arp.irisnet.be) is invalid
WARN: mail1.arp.irisnet.be A 195.244.160.181: no PTR record
WARN: www.arp.irisnet.be A 195.244.160.171: no PTR record
0 failures, 3 warnings, 1 errors.
The error messages and warnings produced by DNS Expert
Professional 1.6 (see <>) are so voluminous that I won't even attempt
to summarize them here, except to note that it finds 522 errors and
logs 157 warnings. It does note that ns.dns.be and ns.belnet.be are
lame delegations for either irisnet.be and/or arp.irisnet.be and/or
the corresponding in-addr.arpa zones for your netblock, and it also
notes that your nameserver is vulnerable to spoofing attacks.
I've confirmed for myself that your machine is acting as a public
caching nameserver, in addition to answering authoritatively for your
zones. This means that it is subject to cache poisoning attacks,
which could be used as either a denial-of-service for your network,
or as a method to help someone break into any or all of your machines:
% dig @ns.irisnet.be. ftp.shub-internet.org. +norec
; <<>> DiG 9.2.0rc3 <<>> @ns.irisnet.be. ftp.shub-internet.org. +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18376
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
;; QUESTION SECTION:
;ftp.shub-internet.org. IN A
;; AUTHORITY SECTION:
org. 151375 IN NS A.GTLD-SERVERS.NET.
org. 151375 IN NS G.GTLD-SERVERS.NET.
org. 151375 IN NS H.GTLD-SERVERS.NET.
org. 151375 IN NS C.GTLD-SERVERS.NET.
org. 151375 IN NS I.GTLD-SERVERS.NET.
org. 151375 IN NS B.GTLD-SERVERS.NET.
org. 151375 IN NS D.GTLD-SERVERS.NET.
org. 151375 IN NS L.GTLD-SERVERS.NET.
org. 151375 IN NS F.GTLD-SERVERS.NET.
org. 151375 IN NS J.GTLD-SERVERS.NET.
org. 151375 IN NS K.GTLD-SERVERS.NET.
org. 151375 IN NS E.GTLD-SERVERS.NET.
org. 151375 IN NS M.GTLD-SERVERS.NET.
;; ADDITIONAL SECTION:
A.GTLD-SERVERS.NET. 151365 IN A 192.5.6.30
G.GTLD-SERVERS.NET. 151365 IN A 192.42.93.30
H.GTLD-SERVERS.NET. 151365 IN A 192.54.112.30
C.GTLD-SERVERS.NET. 151365 IN A 192.26.92.30
I.GTLD-SERVERS.NET. 151365 IN A 192.36.144.133
B.GTLD-SERVERS.NET. 151365 IN A 192.33.14.30
D.GTLD-SERVERS.NET. 151365 IN A 192.31.80.30
L.GTLD-SERVERS.NET. 151365 IN A 192.41.162.30
F.GTLD-SERVERS.NET. 151365 IN A 192.35.51.30
J.GTLD-SERVERS.NET. 151365 IN A 210.132.100.101
K.GTLD-SERVERS.NET. 151365 IN A 213.177.194.5
E.GTLD-SERVERS.NET. 151365 IN A 192.12.94.30
M.GTLD-SERVERS.NET. 151365 IN A 202.153.114.101
;; Query time: 120 msec
;; SERVER: 193.190.164.4#53(ns.irisnet.be.)
;; WHEN: Mon Oct 1 10:50:06 2001
;; MSG SIZE rcvd: 471
% dig @ns.irisnet.be. ftp.shub-internet.org.
; <<>> DiG 9.2.0rc3 <<>> @ns.irisnet.be. ftp.shub-internet.org.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30167
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:
;ftp.shub-internet.org. IN A
;; ANSWER SECTION:
ftp.shub-internet.org. 3600 IN A 216.200.80.85
;; AUTHORITY SECTION:
shub-internet.org. 28800 IN NS ns.his.com.
shub-internet.org. 28800 IN NS ns2.his.com.
shub-internet.org. 28800 IN NS ns3.his.com.
;; ADDITIONAL SECTION:
ns.his.com. 3600 IN A 209.67.207.6
ns2.his.com. 3600 IN A 216.200.68.6
ns3.his.com. 3600 IN A 216.194.192.8
;; Query time: 562 msec
;; SERVER: 195.244.170.4#53(ns.irisnet.be.)
;; WHEN: Mon Oct 1 10:50:11 2001
;; MSG SIZE rcvd: 163
% dig @ns.irisnet.be. ftp.shub-internet.org. +norec
; <<>> DiG 9.2.0rc3 <<>> @ns.irisnet.be. ftp.shub-internet.org. +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49728
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;ftp.shub-internet.org. IN A
;; ANSWER SECTION:
ftp.shub-internet.org. 3597 IN A 216.200.80.85
;; AUTHORITY SECTION:
shub-internet.org. 28797 IN NS ns.his.com.
shub-internet.org. 28797 IN NS ns2.his.com.
shub-internet.org. 28797 IN NS ns3.his.com.
;; Query time: 117 msec
;; SERVER: 195.244.170.4#53(ns.irisnet.be.)
;; WHEN: Mon Oct 1 10:50:13 2001
;; MSG SIZE rcvd: 115
If you want someone to come in and do some consulting on your
network to help you get your various problems fixed, please let me
know. If I am not suitable, I know of companies in Belgium or the
Netherlands that should be more than happy to do this kind of work
for you.
--
Brad Knowles, <brad.knowles at skynet.be>
H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA
More information about the bind-users
mailing list