possible interoperability issue with Win2K3 name-server
Danny Thomas
d.thomas at its.uq.edu.au
Sun Sep 17 00:17:24 UTC 2006
While this message describes an apparently bogus response from the
Microsoft Windows 2003 DNS server, there are two points relevant
to bind
1) bind9's dig refuses to print the response (more a curiosity)
2) while I've only seen such responses from cached records, without
knowing the full scope of the problem there exists the potential for
interoperability issues with bind
I'd be grateful if anyone else can shed light on this behaviour or
knows an effective way to raise the issue with Microsoft, e.g. to
identify
1) that it is a problem
2) whether the scope of the problem might extend beyond cached
records, i.e. possible interoperability issues if bind
ignores records with more than 16-odd copies of the SOA record
in the authority section
3) the likelihood of a patch
BACKGROUND
=========================================================================
I've written a script to survey name-servers running on our network,
which include many from a default install of ActiveDirectory.
Unfortunately these often have their own separate version of zones,
though I was pleasantly surprised to find nearly all forwarding
through our central name-servers (mainly by checking whether rfc1918
reverse zones come from the IANA blackholes).
NB one motivation from the survey was to identify MS name-servers
so they can be shutdown. But it's not that simple as disabling the
name-server as that can result in domain logins taking 10 minutes.
We'll need to get our MS sysadmins to resolve the slow logins
before we can start shutting them down en mass.
Part of the survey uses fpdns (http://www.rfc.se/fpdns/) to fingerprint
the name-server software, but fpdns fails for all name-servers
exhibiting the following problem NB fingerprinting fails for quite
a few non-Microsoft name-servers too. While a few Microsoft systems
seem to be successfully fingerprinted, only NT and Win2K versions
are reported. The apparent problem fingerprinting Win2K3's name-server
is something I'll take up on the fpdns list, but nmap OS fingerprinting
indicates the following problem happens on Win2K3 systems.
THE PROBLEM
=========================================================================
An SOA query is done for the zones in the master named.conf, and many
of the MS servers return a truncated response for most of the 1,400
odd zones. Curiously, doing an ANY query works fine. While bind-8.3
has no problem printing the response, the bind9 dig reports:
;; Truncated, retrying in TCP mode.
;; Got bad packet: too many hops
1884 bytes
followed by a hex dump of the response. Using bind-9.4.0b1's dig
after increasing DNS_POINTER_MAXHOPS in lib/dns/include/dns/name.h
from 16 -> 64 prints out similarly to bind8's dig:
bin/dig/dig @130.102.198.22 awmc.uq.edu.au soa
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.4.0b1 <<>> @130.102.198.22 awmc.uq.edu.au soa
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26092
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 50, ADDITIONAL: 0
;; QUESTION SECTION:
;awmc.uq.edu.au. IN SOA
;; ANSWER SECTION:
awmc.uq.edu.au. 2282 IN SOA
noddns.cc.uq.edu.au. hostmaster.uq.edu.au. 2006091502 10800 1800 3600000 3600
;; AUTHORITY SECTION:
cc.uq.edu.au. 2256 IN SOA
noddns.cc.uq.edu.au. hostmaster.uq.edu.au. 2006091501 10800 1800 3600000 3600
cc.uq.edu.au. 2256 IN SOA
noddns.cc.uq.edu.au. hostmaster.uq.edu.au. 2006091501 10800 1800 3600000 3600
<48 more copies of this SOA record>
;; Query time: 4 msec
;; SERVER: 130.102.198.22#53(130.102.198.22)
;; WHEN: Sun Sep 17 08:30:20 2006
;; MSG SIZE rcvd: 1892
I'm not suggesting DNS_POINTER_MAXHOPS should be increased as I expect
there were reasons/experience to suggest 16 was adequate.
NB the SOA query seems to behave properly when un-cached (reponse
has aa and full TTL), and (sometimes?) another SOA query works
properly with the result coming from the cache (no aa and reduced
TTL) before subsequent responses have this 50 SOA records in the
authority section)
Danny
--
d.thomas at its.uq.edu.au Danny Thomas,
+61-7-3365-8221 Software Infrastructure,
http://www.its.uq.edu.au ITS, The University of Queensland
More information about the bind-users
mailing list