Unexpected queries

Mark Andrews Mark_Andrews at isc.org
Mon Dec 5 22:25:34 UTC 2005 

> Mark Andrews wrote:
> 
> >>-----BEGIN PGP SIGNED MESSAGE-----
> >>Hash: SHA1
> >>
> >>Currently running bind-9.3.1
> >>
> >>When examining logs of DNS queries, I notice
> >>
> >>Dec  4 07:30:43 mp named[212]: client 99.99.99.99#33040: query: huskiesden.
> ni
> >>u.edu IN A -E
> >>Dec  4 07:30:43 mp named[212]: client 99.99.99.99#33040: query (cache) 'hus
> ki
> >>es-den.com/A/IN' denied
> >>
> >>The above query IP address was munged to protect the innocent.
> >>
> >>For the record, the server where this was logged is authoritative for
> >>"niu.edu", but not for "com".
> >>
> >>Off campus queries are restricted to the zones for which we are
> >>authoritative, and hence the "denied" for the second of those
> >>lookups.
> >>
> >>The result of looking up huskiesden.niu.edu from off-campus is
> >>
> >>huskiesden.niu.edu.     86400   IN      CNAME   huskies-den.com.
> >>
> >>when made from on-campus, the result is
> >>
> >>huskiesden.niu.edu.     86400   IN      CNAME   huskies-den.com.
> >>huskies-den.com.        1800    IN      A       207.227.157.52
> >>
> >>Checking for this in yesterday's logs, every lookup of
> >>huskiesden.niu.edu was followed by a lookup for huskies-den.com.
> >>
> >>The total number of lookups is modest, but enough that it is likely
> >>that at least some of the lookups were from other bind servers.  Most
> >>did not respond to a version.bind lookup.  Among those that
> >>responded, I saw 8.4.6-REL, 9.3.1, 9.2.1, 9.2.3
> >>
> >>It seems to me that something is awry here.  If my server is supposed
> >>to provide the info on huskies-den.com along with the CNAME response,
> >>then it should do so based on the acl for huskiesden.niu.edu.  As
> >>long as it fails to provide that record in its initial response, the
> >>off-campus DNS servers should not be looking up a "COM." record at
> >>our DNS server.
> >>
> >>-----BEGIN PGP SIGNATURE-----
> >>Version: GnuPG v1.4.2 (SunOS)
> >>
> >>iD8DBQFDlI0svmGe70vHPUMRAnwAAKCoaW6wYpphA92IRC8jrzAwyKktawCePMk7
> >>+ot9MSlZOaA7ZN6f7VcUDrc=
> >>=PUyd
> >>-----END PGP SIGNATURE-----
> >>    
> >>
> >
> >	When you ask a query that refers to a CNAME you follow that
> >	CNAME if you can.  All the log message was saying is that
> >	after following the CNAME the new query was refused.
> >
> >	Note this is the sort of answer where the client needs to
> >	requery after following the CNAME.  It looks like a NODATA
> >	response by isn't.
> >
> Mark,
>            I think the point is: why is the client restarting the query 
> at the CNAME's authoritative nameserver, instead of looking for the 
> nameservers of the closest-enclosing zone of the canonical name, as per 
> the usual iterative-resolution algorithm? I've noticed this behavior 
> too, and wondered whether it was some sort of "optimization" (e.g. the 
> CNAME owner seems more likely to get back answer in less steps than 
> restarting the query ab initio), or just sloppy coding (forgot to reset 
> who we're querying), or something else. Neil's forensics imply that at 
> least some of these iterative resolvers are BIND.

	Well when +70% of the worlds iterative resolvers are BIND there
	is a high probability that some of the queries are from BIND.
> 
>                                                                          
>                                                                   - Kevin

	The query is non-recursive.  Named follows the CNAME.  Attempts
	to look in the cache which is denied by ACL,  logs the fact that
	it was denied, then returns the answer.


--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list