Unexpected queries
Neil W Rickert
rickert+nn at cs.niu.edu
Mon Dec 5 18:55:47 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Currently running bind-9.3.1
When examining logs of DNS queries, I notice
Dec 4 07:30:43 mp named[212]: client 99.99.99.99#33040: query: huskiesden.niu.edu IN A -E
Dec 4 07:30:43 mp named[212]: client 99.99.99.99#33040: query (cache) 'huskies-den.com/A/IN' denied
The above query IP address was munged to protect the innocent.
For the record, the server where this was logged is authoritative for
"niu.edu", but not for "com".
Off campus queries are restricted to the zones for which we are
authoritative, and hence the "denied" for the second of those
lookups.
The result of looking up huskiesden.niu.edu from off-campus is
huskiesden.niu.edu. 86400 IN CNAME huskies-den.com.
when made from on-campus, the result is
huskiesden.niu.edu. 86400 IN CNAME huskies-den.com.
huskies-den.com. 1800 IN A 207.227.157.52
Checking for this in yesterday's logs, every lookup of
huskiesden.niu.edu was followed by a lookup for huskies-den.com.
The total number of lookups is modest, but enough that it is likely
that at least some of the lookups were from other bind servers. Most
did not respond to a version.bind lookup. Among those that
responded, I saw 8.4.6-REL, 9.3.1, 9.2.1, 9.2.3
It seems to me that something is awry here. If my server is supposed
to provide the info on huskies-den.com along with the CNAME response,
then it should do so based on the acl for huskiesden.niu.edu. As
long as it fails to provide that record in its initial response, the
off-campus DNS servers should not be looking up a "COM." record at
our DNS server.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (SunOS)
iD8DBQFDlI0svmGe70vHPUMRAnwAAKCoaW6wYpphA92IRC8jrzAwyKktawCePMk7
+ot9MSlZOaA7ZN6f7VcUDrc=
=PUyd
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list