ignoring incorrect nameservers in authority section

Sunil Shetye shetye at bombay.retortsoft.com
Wed Dec 22 11:23:03 UTC 2010 

Quoting from Matus UHLAR - fantomas's mail on Wed, Dec 22, 2010:
> > Is there any solution to this problem without contacting the DNS
> > administrator of that domain? I have seen this problem for many
> > domains on the internet.
> 
> Well, first find which is the real problem - domain delegated to invalisd
> servers, server providing invalid data, and than you have to fix what is
> broken.
> 
> Give us a real example if we have to provider real solution.

Case 1:

Domain: e-nxt.com
Real Nameservers: ns1.webpresenceworld.com. ns2.webpresenceworld.com.
Fake Nameservers: ns5.zenexpress.com. ns6.zenexpress.com.

==============================================================
$ dig +norecurse @a.gtld-servers.net. e-nxt.com.
;; QUESTION SECTION:
;e-nxt.com.	    IN	A

;; AUTHORITY SECTION:
e-nxt.com.	172800	IN  NS	ns1.webpresenceworld.com.
e-nxt.com.	172800	IN  NS	ns2.webpresenceworld.com.
==============================================================
  (correct)

==============================================================
$ dig +norecurse @ns1.webpresenceworld.com. e-nxt.com.
;; QUESTION SECTION:
;e-nxt.com.	    IN	A

;; ANSWER SECTION:
e-nxt.com.	3600	IN  A	203.201.252.134

;; AUTHORITY SECTION:
e-nxt.com.	3600	IN  NS	ns6.zenexpress.com.
e-nxt.com.	3600	IN  NS	ns5.zenexpress.com.
==============================================================
  (authority section is not correct and should not be cached by named)

==============================================================
$ dig +norecurse @ns6.zenexpress.com. e-nxt.com.
;; QUESTION SECTION:
;e-nxt.com.	    IN	A
==============================================================
  (refused, this is correct)

So, the authority section as reported by the tld nameservers is
correct. The authority section as reported by the real nameservers is
incorrect. The problem occurs when sending a mail to e-nxt.com. The
following lookups are triggered:

e-nxt.com A
e-nxt.com MX
mail1.e-nxt.com A
mail2.e-nxt.com A

When the named cache is empty, the first lookup succeeds. After that,
the incorrect authority section is cached by named. Due to this, the
second lookup fails. After the incorrect NS record expires, the second
lookup succeeds during the fresh lookup. The incorrect authority
section again gets cached. Then, the third and fourth lookups fail.

dig +trace always gives a correct answer for all the above lookups.
Clearing the cache gives the correct answer for the first lookup after
that.


Case 2:

Domain: imagesystems.co.in
Real Nameservers: ns1.servershost.net. ns2.servershost.net.
Fake Nameservers: ns1.cyberasiantrade.com. ns2.cyberasiantrade.com.

==============================================================
$ dig +norecurse @ns1.servershost.net. imagesystems.co.in.
;; QUESTION SECTION:
;imagesystems.co.in.	    IN	A

;; ANSWER SECTION:
imagesystems.co.in. 14400   IN	A   205.234.222.71

;; AUTHORITY SECTION:
imagesystems.co.in. 43200   IN	NS  ns1.cyberasiantrade.com.
imagesystems.co.in. 43200   IN	NS  ns2.cyberasiantrade.com.
==============================================================

==============================================================
$ dig +norecurse @ns1.cyberasiantrade.com. imagesystems.co.in.
==============================================================
  (no reply, this is correct)


-- 
Sunil Shetye.

More information about the bind-users mailing list