Strange DNS Behaviour

Mark Andrews Mark_Andrews at isc.org
Tue Mar 24 16:55:57 UTC 2009 

In message <00a901c9ac92$9dc4e8a0$f9281fac at wipro74039c7ca>, "Ashish" writes:
> Hi,
> 
> Could someone kindly explain what is happening?

	You have a DNS client that is using a pre-RFC 1535 search
	algorithm that is looking up kemira.kemira.com.

Network Working Group                                          E. Gavron
Request for Comments: 1535                            ACES Research Inc.
Category: Informational                                     October 1993


              A Security Problem and Proposed Correction
                   With Widely Deployed DNS Software


	You are also using BIND 4 or BIND 8 as a nameserver.  You
	should upgrade the nameserver.

	Mark


> I don't have domain name kemira.kemira.com anywhere in my primary
> database (and all secondaries, too) kemira.com = 137.33.1.2
> I have doublechecked the master database and secondaries. I have
> restarted both of them, but nothing seems to help.
> 
> In funet.fi (master for fi-domain) when I start named and query
> kemira.kemira.com for the first time, it looks like this:
> 
> ==========================================================
> datagram from 130.230.1.1 port 1536, fd 7, len 44
> req: nlookup(kemira.kemira.com.funet.fi) id 1 type=1
> req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0)
> findns: SOA found
> req: leaving (kemira.kemira.com.funet.fi, rcode 3)
> req: answer -> 130.230.1.1 9 (1536) id=1 Local
> 
> datagram from 130.230.1.1 port 1537, fd 7, len 44
> req: nlookup(kemira.kemira.com.funet.fi) id 2 type=15
> req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0)
> findns: SOA found
> req: leaving (kemira.kemira.com.funet.fi, rcode 3)
> req: answer -> 130.230.1.1 9 (1537) id=2 Local
> 
> datagram from 130.230.1.1 port 1538, fd 7, len 35
> req: nlookup(kemira.kemira.com) id 3 type=1
> req: found 'kemira.kemira.com' as 'com' (cname=0)
> findns: using cache
> findns: 7 NS's added for ''
> ns_forw()
> nslookup(nsp=xf7fff1e0,qp=x55000)
> nslookup: NS NS.NIC.DDN.MIL c1 t2 (x0)
> nslookup: 1 ns addrs
> nslookup: NS AOS.BRL.MIL c1 t2 (x0)
> nslookup: 4 ns addrs
> nslookup: NS KAVA.NISC.SRI.COM c1 t2 (x0)
> nslookup: 5 ns addrs
> nslookup: NS C.NYSER.NET c1 t2 (x0)
> nslookup: 6 ns addrs
> nslookup: NS TERP.UMD.EDU c1 t2 (x0)
> nslookup: 7 ns addrs
> nslookup: NS NS.NASA.GOV c1 t2 (x0)
> nslookup: 9 ns addrs
> nslookup: NS NIC.NORDU.NET c1 t2 (x0)
> nslookup: 10 ns addrs total
> forw: forw -> 192.33.4.12 7 (53) nsid=5 id=3 0ms retry 4 sec
> 
> ....
> 
> and a bit later:
> 
> datagram from 192.33.4.12 port 53, fd 7, len 186
> USER response nsid=5 id=3
> stime 712944912/687743  now 712944912/887742 rtt 199
> NS #0 addr 192.33.4.12 used, rtt 199
> NS #1 128.63.4.82 rtt now 0
> NS #2 26.3.0.29 rtt now 0
> NS #3 192.5.25.82 rtt now 0
> NS #4 192.33.33.24 rtt now 0
> NS #5 128.8.10.90 rtt now 0
> NS #6 192.52.195.10 rtt now 0
> NS #7 128.102.16.10 rtt now 0
> NS #8 192.36.148.17 rtt now 0
> NS #9 192.112.36.4 rtt now 401
> resp: ancount 1, aucount 3, arcount 3
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname kemira.kemira.com type 1 class 1 ttl 172800
> db_update(kemira.kemira.com, 0x554b8, 0x554b8, 031, 0x44ca0)
> db_update: adding 554b8
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
> db_update(KEMIRA.COM, 0x55580, 0x55580, 031, 0x44ca0)
> db_update: adding 55580
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
> db_update(KEMIRA.COM, 0x555b8, 0x555b8, 031, 0x44ca0)
> db_update: adding 555b8
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800
> db_update(KEMIRA.COM, 0x555f0, 0x555f0, 031, 0x44ca0)
> db_update: adding 555f0
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname KEMIRA.KEMIRA.COM type 1 class 1 ttl 172800
db_update(KEMIRA.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0)
> db_update: new ttl 713117712, +172800
> update failed (DATAEXISTS)
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname HYDRA.HELSINKI.FI type 1 class 1 ttl 518400
> db_update(HYDRA.HELSINKI.FI, 0x55630, 0x55630, 031, 0x44ca0)
> 192.33.4.12 attempted update to auth zone 1 'fi'
> update failed (-10)
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname HKIUX9.FIN.KEMIRA.COM type 1 class 1 ttl 172800
> db_update(HKIUX9.FIN.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0)
> db_update: adding 55630
> resp: got as much answer as there is
> send_msg -> 130.230.1.1 (UDP 9 1538) id=3
> 
> datagram from 130.230.1.1 port 1539, fd 7, len 35
> req: nlookup(kemira.kemira.com) id 4 type=15
> datagram from 130.230.1.1 port 1539, fd 7, len 35
> req: nlookup(kemira.kemira.com) id 4 type=15
> req: found 'kemira.kemira.com' as 'kemira.kemira.com' (cname=0)
> finddata: added 0 class 1 type 15 RRs
> findns: 3 NS's added for 'kemira'
> ns_forw()
> nslookup(nsp=xf7fff1e0,qp=x55000)
> nslookup: NS KEMIRA.KEMIRA.COM c1 t2 (x0)
> nslookup: 1 ns addrs
> nslookup: NS HYDRA.HELSINKI.FI c1 t2 (x0)
> nslookup: 2 ns addrs
> nslookup: NS HKIUX9.FIN.KEMIRA.COM c1 t2 (x0)
> nslookup: 3 ns addrs
> nslookup: 3 ns addrs total
> forw: forw -> 137.33.1.2 7 (53) nsid=7 id=4 0ms retry 4 sec
> 
> datagram from 137.33.1.2 port 53, fd 7, len 92
> USER response nsid=7 id=4
> stime 712944912/917744  now 712944912/967742 rtt 49
> NS #0 addr 137.33.1.2 used, rtt 49
> NS #1 128.214.4.29 rtt now 0
> NS #2 137.33.1.9 rtt now 0
> resp: ancount 0, aucount 1, arcount 0
> doupdate(zone 0, savens f7ffe9d0, flags 19)
> doupdate: dname kemira.com type 6 class 1 ttl 3600
> db_update(kemira.com, 0x556f8, 0x556f8, 031, 0x44ca0)
> db_update: adding 556f8
> resp: leaving auth NO
> send_msg -> 130.230.1.1 (UDP 9 1539) id=4
> 
> =====================================================
> 
> Kindly advice!
> 
> Many Thanks,
> Ashish
> 
> 
> 
> Please do not print this email unless it is absolutely necessary. 
> 
> The information contained in this electronic message and any attachments to t
> his message are intended for the exclusive use of the addressee(s) and may co
> ntain proprietary, confidential or privileged information. If you are not the
>  intended recipient, you should not disseminate, distribute or copy this e-ma
> il. Please notify the sender immediately and destroy all copies of this messa
> ge and any attachments. 
> 
> WARNING: Computer viruses can be transmitted via email. The recipient should 
> check this email and any attachments for the presence of viruses. The company
>  accepts no liability for any damage caused by any virus transmitted by this 
> email. 
> 
> www.wipro.com
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list