Not able to resolve external names

Tue Nov 6 02:05:46 UTC 2001

Cache poisoning isn't always malicious. Sometimes it's caused by plain old
ignorance and/or laziness. A DNS admin decides to shove all of their
information into a "com" zone, rather than having separate zones for a bunch
of different domains. That makes things easy for the admin, but it means that
his/her nameserver now claims to be authoritative for "com". Other
nameservers may believe these claims and start querying that nameserver for
*all* "com" names. If this misconfigured nameserver happens to be one which
you talk to frequently, then your cache may get poisoned within a few minutes
of starting your nameserver. As Mark said, if this is cache poisoning, you
may need to track the source of the poison. Do some recursive queries,
preferrably using "dig" instead of "nslookup", and look at what is contained
in the "Authority" section. If your cache is poisoned, you should see the
evidence there. Once identified, you should a) in the short term, use the
"bogusns" directive to protect yourself from this poison, b) in the medium
term, upgrade to BIND 8 or BIND 9, which is more immune to poison, and c) for
the long term, notify the administrator of the nameserver and get them to fix
it.

- Kevin

John Ross wrote:

> What exactly do you mean by cache poisoning?  I am assuming that you are
> suggesting that the cache could be bad, but have already shutdown, cleared
> out the secondary zones (for kicks), and restarted.  So far the only thing
> that has worked is setting up a forwarders line to servers outside of this
> site.  Or are you suggesting something else that I am not thinking of?
>
> John
>
> --
> John Ross
> Systems Management Integration Professional - Adv
> Data Management Solutions
> IBM, Inc.
> 16011 College Blvd.
> Lenexa, KS  66219
> Tel:  (913) 599-8611        Fax:  (913) 599-8565
>
>  <http://www.ksu.edu>
>
> > -----Original Message-----
> > From: Mark.Andrews at isc.org [mailto:Mark.Andrews at isc.org]
> > Sent: Monday, November 05, 2001 5:34 PM
> > To: John Ross
> > Cc: 'bind-users at isc.org'
> > Subject: Re: Not able to resolve external names
> >
> >
> >
> > > Content-Type: text/plain;
> > >     charset="iso-8859-1"
> > >
> > > I am having a problem with BIND 4.9x.  Just recently it has
> > decided to not
> > > resolve external names (ie www.yaho.com
> > <http://www.yaho.com> , etc.).
> > > Internal names resolve correctly, but external names just
> > time out, or
> > > resolve minutes later.  I have checked my connectivity to
> > the root servers
> > > and I can both ping by address, and traceroute via port 53,
> > so it appears
> > > that I can reach them.   I recently pulled a copy of the
> > current root
> > > servers, so that should be correct.  I am pulling my hair
> > out over this one,
> > > because unless I am missing something, everything looks fine.
> > >
> > > If any could lend a hand on this one, I would greatly appreciate it.
> > > --
> > > John Ross
> > > Systems Management Integration Professional - Adv
> > > Data Management Solutions
> > > IBM, Inc.
> > > 16011 College Blvd.
> > > Lenexa, KS  66219
> > > Tel:  (913) 599-8611        Fax:  (913) 599-8565
> > >
> > >  <http://www.ksu.edu/>
> >
> >       It could be cache poisioning.  Make some non-recursive queries
> >       and see if the referal information looks correct.
> >
> >       Mark
> > --
> > Mark Andrews, Internet Software Consortium
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
> >