help needed

[Kevin Darcy]

alexus wrote:
> Hello
>
> One of my customers send me following output
>
>
> -------------------------------------------------------------------------
> -------------------------------------------
>
> Searching for XXXXXXXXXX.com A record at d.root-servers.net Got
> referral to H.GTLD-SERVERS.NET. [took 40 ms]
> Searching for XXXXXXXXXX.com A record at H.GTLD-SERVERS.NET. Got
> referral to ns1.alexus.org. [took 121 ms]
> [Had to look up A record for ns1.alexus.org.; assume 200ms]
> Searching for XXXXXXXXXX.com A record at ns1.alexus.org. Reports an answer.
>
> Record is:
>
>
>
> Domain
> Type
> Class
> TTL
> Answer
>
> XXXXXXXXXX.com.
> A
> IN
> 86400
> XXX.XXX.XX.XX
>
> XXXXXXXXXX.com.
> NS
> IN
> 86400
> ns2.alexus.org.
>
> XXXXXXXXXX.com.
> NS
> IN
> 86400
> ns1.alexus.org.
>
> ns1.alexus.org.
> A
> IN
> 86400
> 64.237.55.82
>
> ns2.alexus.org.
> A
> IN
> 86400
> 66.230.158.168
>
>
>
>
> Looking up at ns1.alexus.org.... [Had to look up A record for
> ns1.alexus.org; assume +200ms]...Reports 1 A record(s). 246ms.
> Looking up at ns2.alexus.org.... [Had to look up A record for
> ns2.alexus.org; assume +200ms]...Reports 1 A record(s). 238ms.
>
>
> Average of all 2 nameservers: 242ms (plus 361ms overhead).
>
> Score: F
>
> Took off 8 points for having no glue at a parent server [adds 2 extra
> packets to lookup].
> Took off 6 points for having no glue for ns1.alexus.org [adds 2 extra
> packets to lookup].
> Took off 6 points for having no glue for ns2.alexus.org [adds 2 extra
> packets to lookup].
> Took off 10 points since ns2.alexus.org is an open DNS server (if
> abused, your DNS may be inaccessible, and over usage could result in
> slowdowns).
> Took off 20 points for >200ms average response time.
>
> -------------------------------------------------------------------------
> ----------------------------------------------------------------
>
>
> yet when I ping server myself I got
>
> Last login: Wed Jun 11 18:29:06 on console
> mb:~ alexus$ ping ns1.alexus.org
> PING ns1.alexus.org (64.237.55.82): 56 data bytes
> 64 bytes from 64.237.55.82: icmp_seq=0 ttl=56 time=14.138 ms
> 64 bytes from 64.237.55.82: icmp_seq=1 ttl=56 time=16.267 ms
> 64 bytes from 64.237.55.82: icmp_seq=2 ttl=56 time=17.359 ms
> 64 bytes from 64.237.55.82: icmp_seq=3 ttl=56 time=21.031 ms
> ^C
> --- ns1.alexus.org ping statistics ---
> 4 packets transmitted, 4 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 14.138/17.199/21.031/2.497 ms
> mb:~ alexus$ ping ns2.alexus.org
> PING ns2.alexus.org (66.230.158.168): 56 data bytes
> 64 bytes from 66.230.158.168: icmp_seq=0 ttl=55 time=13.224 ms
> 64 bytes from 66.230.158.168: icmp_seq=1 ttl=55 time=14.331 ms
> 64 bytes from 66.230.158.168: icmp_seq=2 ttl=55 time=16.636 ms
> 64 bytes from 66.230.158.168: icmp_seq=3 ttl=55 time=17.087 ms
> ^C
> --- ns2.alexus.org ping statistics ---
> 4 packets transmitted, 4 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 13.224/15.320/17.087/1.599 ms
> mb:~ alexus$
>
> thats from my *home* based cable connection and from remote UNIX box I get
>
> alexus at jot ~ 505$ ping ns1.alexus.org
> PING ns1.alexus.org (64.237.55.82): 56 data bytes
> 64 bytes from 64.237.55.82: icmp_seq=0 ttl=52 time=1.769 ms
> 64 bytes from 64.237.55.82: icmp_seq=1 ttl=52 time=2.275 ms
> 64 bytes from 64.237.55.82: icmp_seq=2 ttl=52 time=1.586 ms
> 64 bytes from 64.237.55.82: icmp_seq=3 ttl=52 time=1.666 ms
> ^C
> --- ns1.alexus.org ping statistics ---
> 4 packets transmitted, 4 packets received, 0.0% packet loss
> round-trip min/avg/max/stddev = 1.586/1.824/2.275/0.268 ms
> alexus at jot ~ 506$
>
>
> but whatever, what can I do to make them happy?  I didn't get this
>
> Took off 8 points for having no glue at a parent server [adds 2 extra
> packets to lookup].
> Took off 6 points for having no glue for ns1.alexus.org [adds 2 extra
> packets to lookup].
> Took off 6 points for having no glue for ns2.alexus.org [adds 2 extra
> packets to lookup].
> Took off 10 points since ns2.alexus.org is an open DNS server (if
> abused, your DNS may be inaccessible, and over usage could result in
> slowdowns).
> Took off 20 points for >200ms average response time.
>
>
> whats glue at parent server? i know ns1.alexus.org is registred name server
> i dont understand what they meant by open DNS server....
>
>
>   
"open DNS server" means it resolves queries for anyone, and can thus be 
easily (ab)used in DoS (denial of service) attacks. It's very bad, and 
should be fixed ASAP.

"missing glue" means that the "com" servers don't have an A record for 
ns1.alexus.org or ns2.alexus.org. This may be because the "host" record 
wasn't properly added to the shared registry by your registrar, or it 
could just be a systemic problem because the names are in a different 
TLD (.org versus .com). All of our nameservers are in .com so I don't 
run into this issue, but I understand there are some special glue 
considerations when you cross TLDs like that.

                                                                         
                     - Kevin