trace ok but cannot get answer

Ken Lai soulhacker511 at gmail.com
Fri Aug 15 00:31:32 UTC 2008 

Kevin Darcy 写道:
> >From the outside, it looks like 211.148.192.137 has a firewall in front
> of it that blocks all query packets with the RD (Recursion Desired) bit
> set. Non-recursive queries seem to work fine, but recursive queries are
> getting dropped.
>
> A version query shows 9.4.2 (unpatched), so maybe this is an awkward
> attempt to protect themselves against the Kaminsky attack.
>
> If the firewall is doing this to your customer as well, and he/she is
> trying to use 211.148.192.137 as a recursive resolver, that's going to
> be a problem...
>
> - Kevin
>
> Ken Lai wrote:
>   
>> Hi,
>> yesterday one of our customer complain cannot resolve the
>> *www.zaobao.com, *the dns server he used is 211.148.192.137. so i trace
>> it and get:
>> ken at ken-laptop ~ $ dig @211.148.192.137 www.zaobao.com +trace
>>
>> ; <<>> DiG 9.4.2-P1 <<>> @211.148.192.137 www.zaobao.com +trace
>> ; (1 server found)
>> ;; global options: printcmd
>> . 481468 IN NS C.ROOT-SERVERS.NET.
>> . 481468 IN NS A.ROOT-SERVERS.NET.
>> . 481468 IN NS J.ROOT-SERVERS.NET.
>> . 481468 IN NS B.ROOT-SERVERS.NET.
>> . 481468 IN NS G.ROOT-SERVERS.NET.
>> . 481468 IN NS L.ROOT-SERVERS.NET.
>> . 481468 IN NS E.ROOT-SERVERS.NET.
>> . 481468 IN NS M.ROOT-SERVERS.NET.
>> . 481468 IN NS H.ROOT-SERVERS.NET.
>> . 481468 IN NS I.ROOT-SERVERS.NET.
>> . 481468 IN NS D.ROOT-SERVERS.NET.
>> . 481468 IN NS K.ROOT-SERVERS.NET.
>> . 481468 IN NS F.ROOT-SERVERS.NET.
>> ;; Received 500 bytes from 211.148.192.137#53(211.148.192.137) in 11 ms
>>
>> com. 172800 IN NS B.GTLD-SERVERS.NET.
>> com. 172800 IN NS C.GTLD-SERVERS.NET.
>> com. 172800 IN NS D.GTLD-SERVERS.NET.
>> com. 172800 IN NS E.GTLD-SERVERS.NET.
>> com. 172800 IN NS F.GTLD-SERVERS.NET.
>> com. 172800 IN NS G.GTLD-SERVERS.NET.
>> com. 172800 IN NS H.GTLD-SERVERS.NET.
>> com. 172800 IN NS I.GTLD-SERVERS.NET.
>> com. 172800 IN NS J.GTLD-SERVERS.NET.
>> com. 172800 IN NS K.GTLD-SERVERS.NET.
>> com. 172800 IN NS L.GTLD-SERVERS.NET.
>> com. 172800 IN NS M.GTLD-SERVERS.NET.
>> com. 172800 IN NS A.GTLD-SERVERS.NET.
>> ;; Received 504 bytes from 198.41.0.4#53(A.ROOT-SERVERS.NET) in 278 ms
>>
>> zaobao.com. 172800 IN NS ns1.asia1.com.sg.
>> zaobao.com. 172800 IN NS ns2.asia1.com.sg.
>> ;; Received 80 bytes from 192.52.178.30#53(K.GTLD-SERVERS.NET) in 346 ms
>>
>> www.zaobao.com. 360 IN CNAME zaobao.com.edgesuite.net.
>> zaobao.com.edgesuite.net. 9033 IN CNAME a1868.g.akamai.net.
>> g.akamai.net. 289 IN NS n4g.akamai.net.
>> g.akamai.net. 289 IN NS n6g.akamai.net.
>> g.akamai.net. 289 IN NS n2g.akamai.net.
>> g.akamai.net. 289 IN NS n8g.akamai.net.
>> g.akamai.net. 289 IN NS n3g.akamai.net.
>> g.akamai.net. 289 IN NS n5g.akamai.net.
>> g.akamai.net. 289 IN NS n0g.akamai.net.
>> g.akamai.net. 289 IN NS n1g.akamai.net.
>> g.akamai.net. 289 IN NS n7g.akamai.net.
>> ;; Received 405 bytes from 202.27.17.253#53(ns1.asia1.com.sg) in 96 ms
>>
>> but i get this also:
>>
>> ken at ken-laptop ~ $ dig @211.148.192.137 www.zaobao.com
>>
>> ; <<>> DiG 9.4.2-P1 <<>> @211.148.192.137 www.zaobao.com
>> ; (1 server found)
>> ;; global options: printcmd
>> ;; connection timed out; no servers could be reached
>>
>> could anyone guide me, thx
>>
>>
>>
>>   
>>     
>
>
>
>   
thx. i'm a fresh about bind. and we have 4 dns in total.

ken at ken-laptop ~ $ dig @211.148.192.134 www.zaobao.com +short
zaobao.com.edgesuite.net.
a1868.g.akamai.net.
124.40.51.89
124.40.51.66

ken at ken-laptop ~ $ dig @211.148.192.135 www.zaobao.com +short
zaobao.com.edgesuite.net.
a1868.g.akamai.net.
124.40.51.89
124.40.51.66


134,135 work fine, only 136,137 have this problem. and the config are
the same:
DNS134# cat /etc/namedb/named.conf
// $FreeBSD: src/etc/namedb/named.conf,v 1.15.2.1 2004/09/30 23:36:07
dougb Exp $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
// Edit by Ken Lai 2008/08/12 21:46


//basic configs of the dns server enviroment
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
allow-query { any; };
listen-on { 127.0.0.1; 211.148.192.134; };
recursive-clients 5000;
};



//=== root config and localhost reverse lookup config =====================
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.
zone "." {
type hint;
file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
};

// RFC 3152
zone
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
type master;
file "master/localhost-v6.rev";
};

// RFC 1886 -- deprecated
zone
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
type master;
file "master/localhost-v6.rev";
};



//=== reverse lookup configs for 192.168.222.x and 211.148.192.x network ==
key "rndc-key" {
algorithm hmac-md5;
secret "wBy4NvwL3OlOKqvPclqmLg==";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

zone "222.168.192.in-addr.arpa" in {
type master;
file "master/192.168.222.rev";
};
zone "192.148.211.in-addr.arpa" in {
type master;
file "master/211.148.192.rev";
};



//=== some special configs for the domains cannot resolve by root ==========
zone "oeeee.com" {
type forward;
forwarders { 210.21.196.6; };
};

More information about the bind-users mailing list