dns blacklist?
Pavel Urban
pupu at pupu.cz
Thu Jul 26 09:28:32 UTC 2012
Hello,
one of our customers asked us to take a look at strange problem. One
address seems to 'work' in Germany, but not here. So I've tried it and
found this:
[pupu at aphrael ~]$ dig www.thomascook.de -t any
; <<>> DiG 9.9.1-P1-RedHat-9.9.1-2.P1.fc17 <<>> www.thomascook.de -t any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23750
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;www.thomascook.de. IN ANY
;; ANSWER SECTION:
www.thomascook.de. 600 IN CNAME www.thomascook.de.nsatc.net.
;; ADDITIONAL SECTION:
www.thomascook.de.nsatc.net. 300 IN A 127.0.0.2
;; Query time: 75 msec
;; SERVER: 192.168.96.11#53(192.168.96.11)
;; WHEN: Thu Jul 26 11:10:41 2012
;; MSG SIZE rcvd: 103
Well, that probably 'doesn't work', but it shouldn't work worldwide. The
strange thing appears when I try to ask differently. First, I check
authorities for this address.
[root at hactar ~]# dig www.thomascook.de -t any +trace
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> www.thomascook.de -t
any +trace
;; global options: +cmd
. 449874 IN NS j.root-servers.net.
. 449874 IN NS k.root-servers.net.
. 449874 IN NS l.root-servers.net.
. 449874 IN NS m.root-servers.net.
. 449874 IN NS a.root-servers.net.
. 449874 IN NS b.root-servers.net.
. 449874 IN NS c.root-servers.net.
. 449874 IN NS d.root-servers.net.
. 449874 IN NS e.root-servers.net.
. 449874 IN NS f.root-servers.net.
. 449874 IN NS g.root-servers.net.
. 449874 IN NS h.root-servers.net.
. 449874 IN NS i.root-servers.net.
;; Received 512 bytes from 212.24.128.8#53(212.24.128.8) in 2882 ms
de. 172800 IN NS a.nic.de.
de. 172800 IN NS f.nic.de.
de. 172800 IN NS l.de.net.
de. 172800 IN NS n.de.net.
de. 172800 IN NS s.de.net.
de. 172800 IN NS z.nic.de.
;; Received 349 bytes from 198.41.0.4#53(198.41.0.4) in 1294 ms
thomascook.de. 86400 IN NS koeln.nic.xlink.net.
thomascook.de. 86400 IN NS frankfurt.nic.xlink.net.
;; Received 105 bytes from 2001:678:2::53#53(2001:678:2::53) in 515 ms
www.thomascook.de. 600 IN CNAME www.thomascook.de.nsatc.net.
thomascook.de. 1800 IN NS frankfurt.nic.xlink.net.
thomascook.de. 1800 IN NS koeln.nic.xlink.net.
;; Received 162 bytes from 193.141.43.129#53(193.141.43.129) in 37 ms
...and then I try to ask them.
[root at hactar ~]# dig @koeln.nic.xlink.net www.thomascook.de.nsatc.net -t any
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> @koeln.nic.xlink.net
www.thomascook.de.nsatc.net -t any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28421
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
;; QUESTION SECTION:
;www.thomascook.de.nsatc.net. IN ANY
;; ANSWER SECTION:
www.thomascook.de.nsatc.net. 300 IN A 87.124.38.165
;; AUTHORITY SECTION:
nsatc.net. 172800 IN NS uk-2.ns.nsatc.net.
nsatc.net. 172800 IN NS de-6.ns.nsatc.net.
nsatc.net. 172800 IN NS b.ns.nsatc.net.
nsatc.net. 172800 IN NS it-1.ns.nsatc.net.
nsatc.net. 172800 IN NS e.ns.nsatc.net.
;; ADDITIONAL SECTION:
uk-2.ns.nsatc.net. 172800 IN A 8.12.199.51
de-6.ns.nsatc.net. 172800 IN A 213.200.97.117
b.ns.nsatc.net. 172800 IN A 207.123.33.51
it-1.ns.nsatc.net. 172800 IN A 8.12.209.47
e.ns.nsatc.net. 172800 IN A 212.187.162.134
;; Query time: 36 msec
;; SERVER: 194.120.12.245#53(194.120.12.245)
;; WHEN: Thu Jul 26 11:19:36 2012
;; MSG SIZE rcvd: 233
My guess is that ISP for thomascook.de tried to fool...err, fix the
problem for his customer by adding some extra zones to his resolvers. My
questions are - 'how is this supposed to work?' and 'it this kind of dns
blacklisting common?'
--
***********************************************************************
Pavel Urban
Vegetables should not operate electronic equipment.
Computer Stupidities, http://rinkworks.com/stupid/
***********************************************************************
More information about the bind-users
mailing list