nslookup'd bogus hostnames keep adding to cache

Kevin Darcy kcd at daimlerchrysler.com
Fri Sep 15 18:51:56 UTC 2000 

Blame nslookup, not the negative caching mechanism. I don't even remember
what it means for nslookup to output just the "Name:" line and nothing
else. I use "dig" whenever possible. It shows you a representation of the
actual packet contents by default (similar to the "debug" option in
nslookup, but more succinct).


- Kevin

sassoj1 at my-deja.com wrote:

> Thanks for the insightful response.  If this is the case (i.e. negative
> caching occurring), then when I run 'nslookup foobar.' on out primary
> nameserver, I get:
>
>           # nslookup foobar.
>           Name Server:  name1.aztec.com
>           Address:  3.88.98.211
>
>           Name:    foobar
>
> On a client, doing an 'nslookup foobar' yields:
>
>           # nslookup foobar
>           Server:  corpns.eng.aztec.com
>           Address:  3.12.51.90
>
>           Name:    foobar
>
> I would expect the normal response to be a "non-existent domain" message
> (or something like that) for each case, not a null response as shown.  I
> find it odd.
>
> --john
>
> In article <39C17480.1D44A532 at daimlerchrysler.com>,
>   Kevin Darcy <kcd at daimlerchrysler.com> wrote:
> >
> > Semicolons indicate comments in master file syntax, so those records
> don't
> > _really_ exist as normal resource records in your nameserver's
> database.
> > Your nameserver is giving correct responses for those names, isn't it?
> The
> > only reason those records are presented as comments in the dump is
> because
> > "negative cache entries" exist for them -- that's what the "-$" in the
> > comment means (negative cash/cache, geddit?). See RFC 2308 for more
> details
> > on the rationale, history, theory and mechanics of negative caching.
> >
> > Normally, you wouldn't want to get rid of those negative cache entries
> > because, like regular cache entries, they make DNS operate more
> > efficiently. If you're bound and determined to "cleanse" your
> nameserver of
> > them, however, at the expense of some efficiency and performance, you
> could
> > use the "max-ncache-ttl" option to expire them more quickly. In
> conjunction
> > with that, you might also need to tune the "cleaning-interval" to get
> the
> > expired entries removed more often.
> >
> > - Kevin
> >
> > sassoj1 at my-deja.com wrote:
> >
> > > We have an HPUX 10.20 system as a nameserver (BIND 8.2.2).  I notice
> > > that whenever I run 'nslookup foobar.' (or any other bogus hostname,
> > > with the '.' at the end), then although I do not get a response (and
> no
> > > error, either), the bogus hostname seems to get incorporated into
> the
> > > cache.  If I do an 'ndc dumpdb', I see the following:
> > >
> > > $ORIGIN .
> > > ;foobar 9046    IN      A       name1.aztec.com.
> hostmaster.aztec.com. (
> > > ;               108 7200 900 604800 21600 );.;NODATA    ;-$
> ;Cr=auth
> > > ;xgshgsdhh      10795   IN      A       name1.aztec.com.
> > > hostmaster.aztec.com. (
> > > ;               108 7200 900 604800 21600 );.;NODATA    ;-$
> ;Cr=auth
> > > ;bogusboy       10770   IN      A       name1.aztec.com.
> > > hostmaster.aztec.com. (
> > > ;               108 7200 900 604800 21600 );.;NODATA    ;-$
> ;Cr=auth
> > >
> > > What's going on here, and how can I prevent this?
> > >
> > > --john
> > >
> > > Sent via Deja.com http://www.deja.com/
> > > Before you buy.
> >
> >
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.

More information about the bind-users mailing list