Tired of failing DNS queries
Wael Shahin
wael.shahin at gmail.com
Tue Jun 26 10:50:50 UTC 2007
Hi,
I really appreciate considering my email and replying to my queries,
kindly read below and let me know your comments
On Tue, 2007-06-26 at 09:05 +1000, Mark Andrews wrote:
> > Hello,
> >
> > I have posted this or similar to this problem several times and I am
> > well aware that the problem is at the names I or more accurately my
> > clients are trying to resolve
> > for example the domain msn77.com I know the DNS configuration of that
> > domain is messed up and it is missing the stealth records and the proper
> > way to set up a DNS, but on the other hand my clients are not accepting
> > this as an answer, they don't care about technicality and moreover the
> > very same site resolves and opens fine when they connect to other ISPs.
>
> So the other ISP's are lucky.
How can I be as lucky? :)
>
> > I really would appreciate if someone can tell me how can I have my BIND
> > deal more flexibly with such records.
> > I am currently using two BIND versions,
>
> The point of RFC's is to promote interopability. This site is
> not following the rules from the RFC's which allow the DNS to
> work.
>
> This is very much a case of Garbage In - Garbarge Out. You
> should complain to the registry that they are not following
> RFC 1034, Section 4.2.2. Administrative considerations.
> This is a systemic problem that the registry should be
> addressing.
>
> You should also complain the zone's administrators.
We do, and most companies don't even bother reply to us nor fixing their
problems. and some of them don't even know how to fix it so they just
pretend it does not exist.
>
> As the last installation step, the delegation NS RRs and glue RRs
> necessary to make the delegation effective should be added to the parent
> zone. The administrators of both zones should insure that the NS and
> glue RRs which mark both sides of the cut are consistent and remain so.
also swiss.com they have the same problem of setting up a messed up
configuration, however, www.swiss.com does resolve from everywhere to
the IP address, ie. kloth.net, dnsstuff, dnsreports, other name servers
in my network. yet they don't resolve with the timed-out error from my
primary name server.
====== DIG Output =====
dig www.swiss.com
; <<>> DiG 9.4.1 <<>> www.swiss.com
;; global options: printcmd
;; connection timed out; no servers could be reached
---------------------
dig @ns1.crossair.ch ns1.swiss.com
; <<>> DiG 9.4.1 <<>> @ns1.crossair.ch ns1.swiss.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46587
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns1.swiss.com. IN A
;; ANSWER SECTION:
ns1.swiss.com. 300 IN A 146.216.2.1
;; AUTHORITY SECTION:
swiss.com. 300 IN NS ns2.swiss.com.
swiss.com. 300 IN NS ns1.swiss.com.
;; ADDITIONAL SECTION:
ns2.swiss.com. 300 IN A 146.216.2.2
;; Query time: 367 msec
;; SERVER: 146.216.2.1#53(146.216.2.1)
;; WHEN: Tue Jun 26 16:28:55 2007
;; MSG SIZE rcvd: 95
--------------------
dig @146.216.2.1 www.swiss.com
; <<>> DiG 9.4.1 <<>> @146.216.2.1 www.swiss.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58447
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.swiss.com. IN A
;; ANSWER SECTION:
www.swiss.com. 300 IN A 194.11.147.110
;; AUTHORITY SECTION:
swiss.com. 300 IN NS ns2.swiss.com.
swiss.com. 300 IN NS ns1.swiss.com.
;; ADDITIONAL SECTION:
ns1.swiss.com. 300 IN A 146.216.2.1
ns2.swiss.com. 300 IN A 146.216.2.2
;; Query time: 354 msec
;; SERVER: 146.216.2.1#53(146.216.2.1)
;; WHEN: Tue Jun 26 16:29:13 2007
;; MSG SIZE rcvd: 115
================== END
keep reading down please
>
> NS records differ and there are no address records for the
> nameservers listed in the zone.
>
> msn77.com. 172800 IN NS ns3.uae-dns.com.
> msn77.com. 172800 IN NS ns4.uae-dns.com.
> ;; Received 103 bytes from 2001:503:a83e::2:30#53(A.GTLD-SERVERS.NET) in 360 ms
>
> msn77.com. 86400 IN NS ns1.ahladesin.com.
> msn77.com. 86400 IN NS ns2.ahladesin.com.
> ;; Received 89 bytes from 208.64.27.91#53(ns4.uae-dns.com) in 173 ms
>
>
> ; <<>> DiG 9.3.4 <<>> ns1.ahladesin.com
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26639
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ns1.ahladesin.com. IN A
>
> ;; AUTHORITY SECTION:
> ahladesin.com. 10450 IN SOA ns3.uae-dns.com. support.design4host.com. 2006052201 86400 7200 3600000 86400
>
> ;; Query time: 2 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jun 26 08:54:51 2007
> ;; MSG SIZE rcvd: 103
>
>
> ; <<>> DiG 9.3.4 <<>> ns2.ahladesin.com
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19181
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ns2.ahladesin.com. IN A
>
> ;; AUTHORITY SECTION:
> ahladesin.com. 10800 IN SOA ns3.uae-dns.com. support.design4host.com. 2006052201 86400 7200 3600000 86400
>
> ;; Query time: 439 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jun 26 08:55:00 2007
> ;; MSG SIZE rcvd: 103
>
>
>
> > Primary:
> > DNS Version: 9.4.1
> > OS: Debian etch
> > configuration command: ./configure --enable-libbind --enable-threads
> > --sysconfdir=/etc --localstatedir=/var
> >
> > ===========named.conf==============
> > acl badguys {
> > 0.0.0.0/8;
> > 1.0.0.0/8;
> > 2.0.0.0/8;
> > 5.0.0.0/8;
> > 7.0.0.0/8;
> > 10.0.0.0/8;
> > 23.0.0.0/8;
> > 27.0.0.0/8;
> > 31.0.0.0/8;
> > 36.0.0.0/8;
> > 37.0.0.0/8;
> > 39.0.0.0/8;
> > 42.0.0.0/8;
> > 49.0.0.0/8;
> > 50.0.0.0/8;
> > 94.0.0.0/8;
> > 95.0.0.0/8;
> > 100.0.0.0/8;
> > 101.0.0.0/8;
> > 102.0.0.0/8;
> > 103.0.0.0/8;
> > 104.0.0.0/8;
> > 105.0.0.0/8;
> > 106.0.0.0/8;
> > 107.0.0.0/8;
> > 108.0.0.0/8;
> > 109.0.0.0/8;
> > 110.0.0.0/8;
> > 111.0.0.0/8;
> > 112.0.0.0/8;
> > 113.0.0.0/8;
> > 114.0.0.0/8;
> > 115.0.0.0/8;
> > 169.254.0.0/16;
> > 173.0.0.0/8;
> > 174.0.0.0/8;
> > 175.0.0.0/8;
> > 176.0.0.0/8;
> > 177.0.0.0/8;
> > 178.0.0.0/8;
> > 179.0.0.0/8;
> > 180.0.0.0/8;
> > 181.0.0.0/8;
> > 182.0.0.0/8;
> > 183.0.0.0/8;
> > 184.0.0.0/8;
> > 185.0.0.0/8;
> > 186.0.0.0/8;
> > 187.0.0.0/8;
> > 192.0.2.0/24;
> > 197.0.0.0/8;
> > 223.0.0.0/8;
> > 224.0.0.0/3;};
> > acl trusted { 212.71.32.0/19; 213.181.160.0/19; 213.210.192.0/18;
> > 91.151.160/22; 85.129.128.0/17; 84.9.0.0/15; 84.23.96.0/21;
> > 217.145.240.0/20; 81.21.60.0/22; 192.168.1.0/16; 172.16.0.0/16;
> > 89.4.0.0/15; 91.147.128.0/23; 91.147.130.0/24; 193.227.127.0/24;
> > 193.22.249.0/24; };
> > acl secondaries { 192.168.1.101; 192.168.1.102; };
> > options {
> > directory "/var/named";
> > dump-file "/var/named/data/cache_dump.db";
> > pid-file "/var/named/named.pid";
> > statistics-file "/var/named/data/named_stats.txt";
> > version "Get Lost";
> > allow-query { trusted; localhost; };
on BIND bind-9.2.4-16.EL4 this allow query worked and still working
properly. now the same configuration with BIND 9.4.1 and I can query the
DNS from non-trusted sources and of course the DNS will reply with the
records if they were cached or refer to the zones name servers if not.
on bind-9.2.4-16.EL4 it says query refused
> > allow-recursion { localhost; trusted; };
> > // minimal-responses yes;
> > zone-statistics yes;
> > blackhole { badguys; };
> > edns-udp-size 512;
> > notify yes;
> > // max-ncache-ttl 1;
> > allow-transfer { secondaries; };
> > also-notify {192.168.1.101; }; // all zones
> > allow-notify { secondaries; };
> > recursive-clients 300000;
> > };
> >
> >
> > logging {
> >
> >
> > channel default_debug {
> > file "/var/log/named/named.log" size 5m;
> > severity critical;
> > };
> > category security {
> > null;
> > };
> > category client {
> > null;
> > };
> > category lame-servers {
> > null;
> > };
> > category queries {
> > null;
> > };
> > };
> >
> > controls {
> > inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndckey"; };
> > };
> >
> > ============= end of named.conf for primary ==============
> >
> >
> > Thank you,
> >
> >
> >
> >
> >
More information about the bind-users
mailing list