Unexpected queries
Kevin Darcy
kcd at daimlerchrysler.com
Mon Dec 5 23:31:30 UTC 2005
Mark Andrews wrote:
>>Mark Andrews wrote:
>>
>>
>>
>>>>Mark Andrews wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>Hash: SHA1
>>>>>>
>>>>>>Currently running bind-9.3.1
>>>>>>
>>>>>>When examining logs of DNS queries, I notice
>>>>>>
>>>>>>Dec 4 07:30:43 mp named[212]: client 99.99.99.99#33040: query: huskiesde
>>>>>>
>>>>>>
>>n.
>>
>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>ni
>>>>
>>>>
>>>>
>>>>
>>>>>>u.edu IN A -E
>>>>>>Dec 4 07:30:43 mp named[212]: client 99.99.99.99#33040: query (cache) 'h
>>>>>>
>>>>>>
>>us
>>
>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>ki
>>>>
>>>>
>>>>
>>>>
>>>>>>es-den.com/A/IN' denied
>>>>>>
>>>>>>The above query IP address was munged to protect the innocent.
>>>>>>
>>>>>>For the record, the server where this was logged is authoritative for
>>>>>>"niu.edu", but not for "com".
>>>>>>
>>>>>>Off campus queries are restricted to the zones for which we are
>>>>>>authoritative, and hence the "denied" for the second of those
>>>>>>lookups.
>>>>>>
>>>>>>The result of looking up huskiesden.niu.edu from off-campus is
>>>>>>
>>>>>>huskiesden.niu.edu. 86400 IN CNAME huskies-den.com.
>>>>>>
>>>>>>when made from on-campus, the result is
>>>>>>
>>>>>>huskiesden.niu.edu. 86400 IN CNAME huskies-den.com.
>>>>>>huskies-den.com. 1800 IN A 207.227.157.52
>>>>>>
>>>>>>Checking for this in yesterday's logs, every lookup of
>>>>>>huskiesden.niu.edu was followed by a lookup for huskies-den.com.
>>>>>>
>>>>>>The total number of lookups is modest, but enough that it is likely
>>>>>>that at least some of the lookups were from other bind servers. Most
>>>>>>did not respond to a version.bind lookup. Among those that
>>>>>>responded, I saw 8.4.6-REL, 9.3.1, 9.2.1, 9.2.3
>>>>>>
>>>>>>It seems to me that something is awry here. If my server is supposed
>>>>>>to provide the info on huskies-den.com along with the CNAME response,
>>>>>>then it should do so based on the acl for huskiesden.niu.edu. As
>>>>>>long as it fails to provide that record in its initial response, the
>>>>>>off-campus DNS servers should not be looking up a "COM." record at
>>>>>>our DNS server.
>>>>>>
>>>>>>-----BEGIN PGP SIGNATURE-----
>>>>>>Version: GnuPG v1.4.2 (SunOS)
>>>>>>
>>>>>>iD8DBQFDlI0svmGe70vHPUMRAnwAAKCoaW6wYpphA92IRC8jrzAwyKktawCePMk7
>>>>>>+ot9MSlZOaA7ZN6f7VcUDrc=
>>>>>>=PUyd
>>>>>>-----END PGP SIGNATURE-----
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> When you ask a query that refers to a CNAME you follow that
>>>>> CNAME if you can. All the log message was saying is that
>>>>> after following the CNAME the new query was refused.
>>>>>
>>>>> Note this is the sort of answer where the client needs to
>>>>> requery after following the CNAME. It looks like a NODATA
>>>>> response by isn't.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>Mark,
>>>> I think the point is: why is the client restarting the query
>>>>at the CNAME's authoritative nameserver, instead of looking for the
>>>>nameservers of the closest-enclosing zone of the canonical name, as per
>>>>the usual iterative-resolution algorithm? I've noticed this behavior
>>>>too, and wondered whether it was some sort of "optimization" (e.g. the
>>>>CNAME owner seems more likely to get back answer in less steps than
>>>>restarting the query ab initio), or just sloppy coding (forgot to reset
>>>>who we're querying), or something else. Neil's forensics imply that at
>>>>least some of these iterative resolvers are BIND.
>>>>
>>>>
>>>>
>>>>
>>> Well when +70% of the worlds iterative resolvers are BIND there
>>> is a high probability that some of the queries are from BIND.
>>>
>>>
>>>
>>>
>>>>
>>>> - Kevin
>>>>
>>>>
>>>>
>>>>
>>> The query is non-recursive. Named follows the CNAME. Attempts
>>> to look in the cache which is denied by ACL, logs the fact that
>>> it was denied, then returns the answer.
>>>
>>>
>>>
>>Right. No-one is questioning what the authoritative nameserver is
>>returning. But why is the client coming right back to the same
>>nameserver to query the canonical name, even though it's not in the
>>delegation chain for it?
>>
>>
>
> It isn't. You are not reading the logs correctly. The client
> is querying for huskiesden.niu.edu.
>
>
>
>>Is it an optimization, a coding mistake, or something else?
>>
>>
>
> It's a noisy log message, nothing more.
>
>
>
>>This is a question about iterative-resolver behavior, not
>>authoritative-nameserver behavior.
>>
>>
>
> No, it is a question about authoritative-nameserver behavior.
>
>
>
>>Maybe someone who is familiar with the nuances of BIND 8's and/or
>>BIND 9's resolver code can answer the question. I'm just curious.
>>
I'm sniffing the packets now, and preliminary indications are that there
are no separate queries for the canonical name. So perhaps it's just a
case of me misinterpreting the logs. I thought I had nailed down this
behavior in the past, but maybe it's just my faulty memory, or possibly
just an isolated instance of resolver misbehavior, probably from a
non-BIND implementation.
Sorry for the confusion.
- Kevin
More information about the bind-users
mailing list