Not able to resolve external names

John Ross john.ross at informix.com
Tue Nov 6 17:57:25 UTC 2001 

Could you give me a couple of examples to try?  What am I looking for?



-- 
John Ross 
Systems Management Integration Professional - Adv
Data Management Solutions 
IBM, Inc. 
16011 College Blvd. 
Lenexa, KS  66219 
Tel:  (913) 599-8611        Fax:  (913) 599-8565 

 <http://www.ksu.edu>  



> -----Original Message-----
> From: Kevin Darcy [mailto:kcd at daimlerchrysler.com]
> Sent: Monday, November 05, 2001 8:06 PM
> To: 'bind-users at isc.org'
> Subject: Re: Not able to resolve external names
> 
> 
> 
> Cache poisoning isn't always malicious. Sometimes it's caused 
> by plain old
> ignorance and/or laziness. A DNS admin decides to shove all of their
> information into a "com" zone, rather than having separate 
> zones for a bunch
> of different domains. That makes things easy for the admin, 
> but it means that
> his/her nameserver now claims to be authoritative for "com". Other
> nameservers may believe these claims and start querying that 
> nameserver for
> *all* "com" names. If this misconfigured nameserver happens 
> to be one which
> you talk to frequently, then your cache may get poisoned 
> within a few minutes
> of starting your nameserver. As Mark said, if this is cache 
> poisoning, you
> may need to track the source of the poison. Do some recursive queries,
> preferrably using "dig" instead of "nslookup", and look at 
> what is contained
> in the "Authority" section. If your cache is poisoned, you 
> should see the
> evidence there. Once identified, you should a) in the short 
> term, use the
> "bogusns" directive to protect yourself from this poison, b) 
> in the medium
> term, upgrade to BIND 8 or BIND 9, which is more immune to 
> poison, and c) for
> the long term, notify the administrator of the nameserver and 
> get them to fix
> it.
> 
> 
> - Kevin
> 
> John Ross wrote:
> 
> > What exactly do you mean by cache poisoning?  I am assuming 
> that you are
> > suggesting that the cache could be bad, but have already 
> shutdown, cleared
> > out the secondary zones (for kicks), and restarted.  So far 
> the only thing
> > that has worked is setting up a forwarders line to servers 
> outside of this
> > site.  Or are you suggesting something else that I am not 
> thinking of?
> >
> > John
> >
> > --
> > John Ross
> > Systems Management Integration Professional - Adv
> > Data Management Solutions
> > IBM, Inc.
> > 16011 College Blvd.
> > Lenexa, KS  66219
> > Tel:  (913) 599-8611        Fax:  (913) 599-8565
> >
> >  <http://www.ksu.edu>
> >
> > > -----Original Message-----
> > > From: Mark.Andrews at isc.org [mailto:Mark.Andrews at isc.org]
> > > Sent: Monday, November 05, 2001 5:34 PM
> > > To: John Ross
> > > Cc: 'bind-users at isc.org'
> > > Subject: Re: Not able to resolve external names
> > >
> > >
> > >
> > > > Content-Type: text/plain;
> > > >     charset="iso-8859-1"
> > > >
> > > > I am having a problem with BIND 4.9x.  Just recently it has
> > > decided to not
> > > > resolve external names (ie www.yaho.com
> > > <http://www.yaho.com> , etc.).
> > > > Internal names resolve correctly, but external names just
> > > time out, or
> > > > resolve minutes later.  I have checked my connectivity to
> > > the root servers
> > > > and I can both ping by address, and traceroute via port 53,
> > > so it appears
> > > > that I can reach them.   I recently pulled a copy of the
> > > current root
> > > > servers, so that should be correct.  I am pulling my hair
> > > out over this one,
> > > > because unless I am missing something, everything looks fine.
> > > >
> > > > If any could lend a hand on this one, I would greatly 
> appreciate it.
> > > > --
> > > > John Ross
> > > > Systems Management Integration Professional - Adv
> > > > Data Management Solutions
> > > > IBM, Inc.
> > > > 16011 College Blvd.
> > > > Lenexa, KS  66219
> > > > Tel:  (913) 599-8611        Fax:  (913) 599-8565
> > > >
> > > >  <http://www.ksu.edu/>
> > >
> > >       It could be cache poisioning.  Make some 
> non-recursive queries
> > >       and see if the referal information looks correct.
> > >
> > >       Mark
> > > --
> > > Mark Andrews, Internet Software Consortium
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742                 INTERNET: 
> Mark.Andrews at isc.org
> > >
> 
>

More information about the bind-users mailing list