DNS Tracing

Kevin Darcy kcd at daimlerchrysler.com
Wed Jul 12 00:32:50 UTC 2000 

My compliments to your superior sleuthing, Jim! You hit the nail on the
head.

The only thing I'd add is that ecs1.altamente.com is almost certainly a
server for some other domain; my experience has been that Network
Solutions has been pretty good about removing host records (and the glue
records associated with them), when their reference count drops to zero.
If this is true, then I doubt that NSI will permit immediate deletion of
the host record, it'll have to be changed instead, or ecs1will need to be
removed from the delegation(s) for the other domain(s) first. (Finding
out which domains those are should be possible by examining the query
logs on ecs1, assuming it's still running a nameserver, and that the
nameserver has query logging capability).


- Kevin

Jim Reid wrote:

>     >> Are there any good tools out there that will tell me where a
>     >> record is coming from and what path it is following to get that
>     >> record?
>
> Yes, dig.
>
>     >> problem I am having is if I do a standard lookup for
>     >> ecs1.altamente.com I am supposed to get back 209.12.244.241,
>     >> but alot of times I get 209.12.224.11 which is it's really old
>     >> IP address.
>
> Let's see:
>         % dig ecs1.altamente.com any
>         ... dig output snipped....
>         ;; AUTHORITY SECTION
>         ALTAMENTE.COM.          2D IN NS        NS1.ESPIRE.NET.
>         ALTAMENTE.COM.          2D IN NS        NS2.ESPIRE.NET.
>         ALTAMENTE.COM.          2D IN NS        NS1.OLSS.NET.
>
> This means there are three name servers for the altamente.com zone, so
> let's ask them and see what they have to say for themselves:
>
>         % dig @ns1.espire.net ecs1.altamente.com any
>         ... dig output snipped ...
>         ;; ANSWER SECTION:
>         ecs1.altamente.com.     1D IN A         209.12.244.241
>
>         % dig @ns2.espire.net ecs1.altamente.com any
>         ... dig output snipped ...
>         ;; ANSWER SECTION:
>         ecs1.altamente.com.     1D IN A         209.12.244.241
>
>         % dig @ns1.olss.net ecs1.altamente.com any
>         ... dig output snipped ...
>         ;; ANSWER SECTION:
>         ecs1.altamente.com.     1D IN A         209.12.244.241
>
> So all three name servers are telling the truth. If you get dig to ask
> for altamente.com's SOA record, they all return the same answer. This
> means the problem is not with the zone data or name servers for
> altamente.com. Those three servers seem consistent with each other,
> which is how things should be. That means the problem is elsewhere.
>
> When my name server looked up ecs1.altamente.com, it got the wrong
> answer: an A record pointing at 209.12.224.11. It must have got that
> name in the answer that was returned when it asked one of the .com
> name servers for ecs1.altamente.com. [This was confirmed by checking
> my name server's cache dump, but that's a story for another time.] The
> answer to my server's query returned the expected NS records for the
> altamente.com name servers, but the answer also included this bogus A
> record. So this means that some zone somewhere in the .com zone has or
> had a glue record for ecs1.altamente.com which points at that old
> address. This too is confirmed with dig:
>
>         % dig @a.root-servers.net ecs1.altamente.com any
>         ... dig output snipped ...
>         ;; ANSWER SECTION:
>         ecs1.altamente.com.     2D IN A         209.12.224.11
>
> (FYI, a.root-servers.net is one of the .com name servers.) Better
> contact Network Solutions and find out where that glue record came
> from and get it fixed. The 2 day TTL in that answer is another
> giveaway: this is the standard TTL for resource records in the .com
> zone. It's also not the same as the 1 day TTL you gave for that A
> record in your altamente.com zone file, which is the ultimate
> authority for that domain. But because other name servers will consult
> .com name servers when looking up ecs1.altamente.com, they'll get the
> false answer - the old glue record - in the .com zone. They won't
> bother asking one of the three altamente.com name servers for this
> name because the .com name servers gave them the answer - albeit with
> wrong data! - for the query that they made. Somewhere in the .com zone
> file, there's a line:
>         ecs1.altamente.com. IN A 209.12.224.11
> this has to be removed or corrected somehow. Removing it is better
> since this glue probably isn't needed any more and because it has the
> wrong IP address.
>
> If you go to http://www.networksolutions.com/cgi-bin/whois/whois
> and search for host ecs1.altamente.com, here's what you find:
>
> [No name] (ECS6-HST)
>
>                 Hostname: ECS1.ALTAMENTE.COM
>                 Address: 209.12.224.11
>                 System: ? running ?
>
>                 Coordinator:
>                    O'Malley, James  (JO4364)  jomalley at COMPUSERVE.COM
>                    OG Consulting
>                    Urb. Santa Clara
>                    W-1 Anamu
>                    Guaynabo, PR 00969
>                    787-731-4332 (FAX) 787-731-4332
>
>                 Record last updated on 09-Dec-1999.
>                 Database last updated on 11-Jul-2000 00:32:06 EDT.
>
> I guess that James O'Malley supplied this hostname and address when
> the altamente.com zone was initially registered. [He's down in the
> whois database as the contact for this zone.] Once the name servers
> were up and running for altamente.com, new glue was added but the old
> glue wasn't removed. Or maybe this old A record was supplied by him as
> glue for some other .{com,net,org} domain.

More information about the bind-users mailing list