TSX-32 & BIND Anyone??

Brad Knowles brad.knowles at skynet.be
Mon Jul 9 07:53:26 UTC 2001 

At 9:17 PM -0400 7/8/01, Membership Services wrote:

>  WE use a program, called "DNS Expert" to analyze
>  our DNS records. We have consistently had the following
>  errors reported by the aforementioned program:
>
>  "Site can possibly be used as a mail relay"
>
>  "No TXT file exists that warns those accessing
>   your e-mail server that you prohibit use of your
>   e-mail server(s) by unauthorized persons."

	These two have nothing to do with BIND, or the DNS.  They are 
issues with your mail server.  According to the relay testing page at 
<http://www.abuse.net/relay.html>, your mail server is an open relay:

		Mail relay testing

		Connecting to NS1.QUANCON.COM for anonymous test ...

		<<< 220 QUANCON.COM TSX SMTP J3368662 is ready
		>>> HELO www.abuse.net
		<<< 250-QUANCON.COM
		<<< 250 Hello test

		Relay test 1

		>>> RSET
		<<< 250 OK
		>>> MAIL FROM:<spamtest at abuse.net>
		<<< 250 OK
		>>> RCPT TO:<relaytest at abuse.net>
		<<< 250 OK

		Relay test result

		Hmmn, at first glance, host appeared to accept a message for
		relay.

		THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY.

		Some systems appear to accept relay mail, but then reject
		messages internally rather than delivering them, but you cannot
		tell at this point whether the message will be relayed or not.

		You cannot tell if it is really an open relay without sending a
		test message; this anonymous user test DID NOT send a test
		message.


	I suggest that you read the web pages at 
<http://www.mail-abuse.org/tsi/> and <http://www.orbl.org/> for more 
information.  However, I fear that they won't be of much use to you, 
as they almost certainly don't cover anything related to the TSX 
operating system.  Unfortunately, doing a Google search for "TSX open 
relay" doesn't seem to turn up anything useful.

>  "You have no "zone transfer" restrictions setup."

	Assuming that you do actually have some version of BIND 4 ported 
to your OS, you would need to make use of the "xfrnets" directive, as 
Cricket pointed out.


	That said, when I look at your domain with standard DNS debugging 
tools, I do find some problems that I believe you need to have 
corrected.  First, the latest version of doc:

% doc -d quancom.com
Doc-2.2.2: doc -d quancon.com
Doc-2.2.2: Starting test of quancon.com.   parent is com.
Doc-2.2.2: Test date - Mon Jul  9 03:25:24 EDT 2001
DEBUG: digging @a.gtld-servers.net. for soa of com.
soa @a.gtld-servers.net. for com. has serial: 2001070801
DEBUG: digging @b.gtld-servers.net. for soa of com.
soa @b.gtld-servers.net. for com. has serial: 2001070801
DEBUG: digging @c.gtld-servers.net. for soa of com.
soa @c.gtld-servers.net. for com. has serial: 2001070801
DEBUG: digging @d.gtld-servers.net. for soa of com.
soa @d.gtld-servers.net. for com. has serial: 2001070801
DEBUG: digging @e.gtld-servers.net. for soa of com.
soa @e.gtld-servers.net. for com. has serial: 2001070800
DEBUG: digging @f.gtld-servers.net. for soa of com.
soa @f.gtld-servers.net. for com. has serial: 2001070800
DEBUG: digging @g.gtld-servers.net. for soa of com.
soa @g.gtld-servers.net. for com. has serial: 2001070800
DEBUG: digging @h.gtld-servers.net. for soa of com.
soa @h.gtld-servers.net. for com. has serial: 2001070801
DEBUG: digging @i.gtld-servers.net. for soa of com.
soa @i.gtld-servers.net. for com. has serial: 2001070800
DEBUG: digging @j.gtld-servers.net. for soa of com.
soa @j.gtld-servers.net. for com. has serial: 2001070801
DEBUG: digging @k.gtld-servers.net. for soa of com.
soa @k.gtld-servers.net. for com. has serial: 2001070801
DEBUG: digging @l.gtld-servers.net. for soa of com.
soa @l.gtld-servers.net. for com. has serial: 2001070800
DEBUG: digging @m.gtld-servers.net. for soa of com.
soa @m.gtld-servers.net. for com. has serial: 2001070800
WARNING: Found 2 unique SOA serial #'s for com.
Found 3 NS and 3 glue records for quancon.com. @a.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for quancon.com. @b.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for quancon.com. @c.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for quancon.com. @d.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for quancon.com. @e.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for quancon.com. @f.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for quancon.com. @g.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for quancon.com. @h.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for quancon.com. @i.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for quancon.com. @j.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for quancon.com. @k.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for quancon.com. @l.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for quancon.com. @m.gtld-servers.net. (non-AUTH)
DNServers for com.
    === 0 were also authoritatve for quancon.com.
    === 13 were non-authoritative for quancon.com.
Servers for com. (not also authoritative for quancon.com.)
    === agree on NS records for quancon.com.
NS list summary for quancon.com. from parent (com.) servers
   == ns1.quancon.com. ns2.coastalweb.com. ns3.webnites.com.
digging @ns1.quancon.com. for soa of quancon.com.
soa @ns1.quancon.com. for quancon.com. serial: 2001070801
digging @ns2.coastalweb.com. for soa of quancon.com.
soa @ns2.coastalweb.com. for quancon.com. serial: 2001070801
ERROR: non-authoritative SOA for quancon.com. from ns2.coastalweb.com.
digging @ns3.webnites.com. for soa of quancon.com.
soa @ns3.webnites.com. for quancon.com. serial:
ERROR: no SOA record for quancon.com. from ns3.webnites.com.
NS list from quancon.com. authoritative servers matches list from
   ===  parent (com.) servers not authoritative for quancon.com.
Checking 1 potential addresses for hosts at quancon.com.
   == 216.199.85.2
in-addr PTR record found for 216.199.85.2
Summary:
    ERRORS found for quancon.com. (count: 2)
    WARNINGS issued for quancon.com. (count: 1)
Done testing quancon.com.  Mon Jul  9 03:25:30 EDT 2001

	Now, let's see what dnswalk has to say:

% dnswalk -alF quancon.com.
Checking quancon.com.
SOA=NS1.QUANCON.COM     contact=ADMIN.NS1.QUANCON.COM
BAD: quancon.com NS NS2.COASTALWEB.COM: lame NS delegation
BAD: quancon.com NS NS3.WEBNITES.COM: lame NS delegation

	Finally, here's what my copy of DNS Expert Professional has to 
say about your zone:

                               DNS Expert
                    Detailed Report for quancon.com.
         7/9/01, 9:52 AM, using the analysis setting "Minimal"
======================================================================

Information
----------------------------------------------------------------------
Serial number:           2001070801
Primary name server:     ns1.quancon.com.
Primary mail server:     ns1.quancon.com.
Number of records:       74 (5 NS, 3 MX, 63 A, 3 CNAME, 0 PTR, 0
                          Other)


Errors
----------------------------------------------------------------------
o Non-authoritative data received from the server
   "ns2.coastalweb.com."
     The server "ns2.coastalweb.com." is listed as being authoritative
     for the domain, but it does not contain authoritative data for it.

o Non-authoritative data received from the server "ns3.webnites.com."
     The server "ns3.webnites.com." is listed as being authoritative
     for the domain, but it does not contain authoritative data for it.

o The secondary mail server "ns2.coastalweb.com." does not respond
     The mail server "ns2.coastalweb.com.", which is a secondary mail
     server for "quancon.com.", does not seem to be working.


Warnings
----------------------------------------------------------------------
No warnings

----------------------------------------------------------------------
end of report


	Clearly, you have a pair of lame delegations for your backup 
nameservers.  You should also check your backup MXes to see if they 
are open relays (like your main mail server appears to be), and you 
should also check to make sure that they other otherwise working 
correctly.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'

More information about the bind-users mailing list