Broken resolvers following MX requests wrong?

[Ben Croswell]

I have seen a similar thing on a domain I have that has a CNAME to a domain
hosted by another provider.
I have a global allow query none and then allow query any for the domains I
host.
When  a BIND server asks I give the CNAME and then it happily goes to the
other server for the end of the CNAME, but certain resolvers break because
they expect my server to answer for the domain I don't host.

-- 
-Ben Croswell


On Sat, Oct 18, 2008 at 12:50 AM, Chris Adams <cmadams at hiwaay.net> wrote:

> Watching requests to my authoritative servers running BIND, I'm seeing
> what appear to be broken resolvers regularly.  The problem is with
> domains that use outsourced spam filtering like Postini or MX Logic,
> where the MX records for example.com get set to
> example.com.something1.mxlogicmx.net and such.  What I'm seeing is that
> the resolver then turns around and asks my authoritative servers to
> resolve the ...mxlogicmx.net records (which of course it doesn't since
> I'm not MX Logic).
>
> I just refuse such requests, but why would it even ask that?  Isn't this
> just another way caches could be poisoned?  The client resolver asked my
> server a question; it'd be easy to return an answer without any IP
> spoofing required.
>
> I also see resolvers that, when they get a request refused (e.g. for a
> domain that has been cancelled and removed from my servers), they just
> keep pounding away, making sometimes dozens of requests per second for
> the same thing.  What broken behavior causes that?
> --
> Chris Adams <cmadams at hiwaay.net>
> Systems and Network Administrator - HiWAAY Internet Services
> I don't speak for anybody but myself - that's enough trouble.
>
>