DNS lookup problems specific the Facebook domains
Florian Weimer
fw at deneb.enyo.de
Sat Nov 22 11:06:57 UTC 2008
* Rob Tanner:
> I'm trying to figure out if this is my problem or a Facebook problem.
> The first issue was with facebookmail.com. The cache entry would
> become corrupt and I would have to clear cache to get things back to
> working again. Since facebookmail.com resolves to a single IP
> address, my work around was to make my internal DNS authoritative for
> it and the problem went away.
You should have investigated this. Caches don't corrupt so easily.
There might be someone tampering with your network.
For example, it seems that the (PIX?) firewall which is in front of
the resolver used by your incoming mail relay destroys source port
randomization and assigns ports sequentially. If you have a similar
setup for your end-user resolvers, you might be exposed to
significantly increased cache poisoning risk.
> A week ago, DNS lookups for facebook.com failed completely. Even
> restarting the DNS service didn't fix the problem. Currently, and as
> a temporary fix only, I am forwarding facebook,com lookups to an
> off-campus server which does not seem to have the problem. And now,
> as of last night, lookups to fbcdn.net (which apparently hosts
> stylesheets) fail completely and I've implemented the same forwarding
Have you got any log entries you can share? What does "dig
facebook.com +trace +norecurse +all" show on the name server? Can you
dump the name server cache using "rndc dumpdb" and extract the
relevant records?
More information about the bind-users
mailing list