Bind 8.2.2-P5 picking up bogus .com NS list

Mathias Körber mathias at koerber.org
Mon Aug 28 00:32:39 UTC 2000 



> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Mark Suter
> Sent: Sunday, August 27, 2000 10:54 PM
> To: bind-users at isc.org
> Subject: Re: Bind 8.2.2-P5 picking up bogus .com NS list
>=20
>=20
> Folks,
>=20
> >     * Remove any forwarders.  If you specify a forwarder, then
> >     named will trust the answers returned.  Named assumes that
> >     the forwarder has done all the checks - to repeat the
> >     checks would amount to not using a forwarder ;)
> >
> >     You are only a good as the weakest link.  Going direct
> >     enables your nameserver to employ these "sanity checks",
> >     thus allowing your nameserver to reject bogus data.
>=20
> The bogus .com NS list has re-occurred.  The following are from
> named_dump.db on Cuscus.cc.uq.edu.au and Krefti.cc.uq.edu.au,
> respectively.  As you can see, we had host-statistics on ;)
>=20
>     com     82814   IN      NS      myifriendsns1.webpower.com.  =20
>   ;Cr=3Dauth [203.101.255.15]
> 	    85146   IN      SOA     webpower.com. postmaster.webpower.com. (
> 		    169 10800 900 604800 86400 )    ;Cr=3Dauth=20
> [204.180.135.105]
>=20
>     com     74970   IN      NS      myifriendsns1.webpower.com.  =20
>   ;Cr=3Dauth [203.101.255.15]
> 	    86175   IN      SOA     webpower.com. postmaster.webpower.com. (
> 		    169 10800 900 604800 86400 )    ;Cr=3Dauth=20
> [204.180.135.105]
>=20
> Both Cuscus and Krefti were forwarding to dns0.optus.net.au and
> ns-forward.uq.net.au.  Both of these forwarders use Bind 8.2.2-P5
> and the latter is under our control.

DO you have a dump from that server too? Are you running hoststats
on that too? I it would be intersting to see where it got the info from.

rgds

>=20
> The bogus NS list apparently came from ns-forward.uq.net.au and
> the bogus SOA is consistent with the bogus NS list.
>=20
> How is this be happenning?  Does a misconfigured server like
> 204.180.135.105 mean any nameserver that is forwarding can pickup
> its bogus version of .com?
>=20
> Is it possible to have forwarders and not risk these bogus
> records?  If so, how?
>=20
> Yours sincerely,
>=20
> -- Mark John Suter  | I know that you  believe  you understand
> suter at humbug.org.au | what you think I said, but I am not sure
> GPG key id F2FEBB36 | you realise that what you  heard  is not
> Ph: +61 4 1126 2316 | what I meant.                  anonymous
>=20
>=20
> -- Attached file included as plaintext by Listar --
>=20
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.2 (GNU/Linux)
> Comment: Public key available from Keyservers or=20
http://www.uq.edu.au/~suter/

iD8DBQE5qStu7EsZXfL+uzYRAkKiAJ9hbn8C6ODyiSw2RcrAsiM60wT3MACfb6Vl
l66hRmRHvlecOWpUovDq944=3D
=3DtGNx
-----END PGP SIGNATURE-----

More information about the bind-users mailing list