Another Question about SERVFAIL

Kevin Darcy kcd at chrysler.com
Tue May 25 22:09:42 UTC 2010 

Cool, it looks like Cisco's Distributed Directors for ftp.cisco.com are 
misconfigured as open recursors:

% dig www.sun.com @sjce-ddir-ns.cisco.com

; <<>> DiG 9.3.0 <<>> www.sun.com @sjce-ddir-ns.cisco.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1471
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.sun.com.                   IN      A

;; ANSWER SECTION:
www.sun.com.            300     IN      A       137.254.16.57

;; Query time: 98 msec
;; SERVER: 128.107.240.86#53(sjce-ddir-ns.cisco.com)
;; WHEN: Tue May 25 18:03:49 2010
;; MSG SIZE  rcvd: 45

%

Way to go, Cisco...

(Sorry if I sound sarcastic, we've been working with Cisco on some 
deficiencies in the DNS implementation on their GSS products, and I'm 
getting tired of their internal bureaucracy).

                                                                         
                                     - Kevin


On 5/25/2010 4:24 PM, b19141 at anl.gov wrote:
> One of our networking personnel is trying to access
>
>       ftp.cisco.com
>
> and is unable to do so from Argonne.  He has no problem from home,
> (Comcast).  The Comcast DNS servers are
>
>       68.87.72.134
>       68.87.77.134
>
> and report that they are running "Nominum Vantio 4.2.1.0" (about which
> I know very little).
>
> My DNS servers are running BIND 9.7.0-P1.  I did some DNS queries here
> and I have made comments after each DNS query.
>
> Are my comments and suppositions correct?
> ===============================================================
> dnsserver% dig ftp.cisco.com
>
> ;<<>>  DiG 9.7.0-P1<<>>  ftp.cisco.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61726
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com.                 IN      A
>
> ;; Query time: 177 msec
> ;; SERVER: 146.139.254.5#53(146.139.254.5)
> ;; WHEN: Tue May 18 11:01:45 2010
> ;; MSG SIZE  rcvd: 31
>
> dnsserver%
>
> Note the SERVFAIL response.  BIND detects that something is wrong.
> ===============================================================
> dnsserver% dig cisco.com ns
>
> ;<<>>  DiG 9.7.0-P1<<>>  cisco.com ns
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52864
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;cisco.com.                     IN      NS
>
> ;; ANSWER SECTION:
> cisco.com.              38065   IN      NS      ns1.cisco.com.
> cisco.com.              38065   IN      NS      ns2.cisco.com.
>
> ;; ADDITIONAL SECTION:
> ns1.cisco.com.          2668    IN      A       128.107.241.185
> ns2.cisco.com.          2831    IN      A       64.102.255.44
>
> ;; Query time: 1 msec
> ;; SERVER: 146.139.254.5#53(146.139.254.5)
> ;; WHEN: Tue May 18 14:08:01 2010
> ;; MSG SIZE  rcvd: 95
>
> dnsserver%
>
> There are two authoritative name servers for cisco.com .
> ===============================================================
> dnsserver% dig ftp.cisco.com @ns1.cisco.com.
>
> ;<<>>  DiG 9.7.0-P1<<>>  ftp.cisco.com @ns1.cisco.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33283
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com.                 IN      A
>
> ;; ANSWER SECTION:
> ftp.cisco.com.          60      IN      A       198.133.219.241
>
> ;; AUTHORITY SECTION:
> ftp.cisco.com.          86400   IN      NS      rtp5-ddir-ns.cisco.com.
> ftp.cisco.com.          86400   IN      NS      sjce-ddir-ns.cisco.com.
>
> ;; ADDITIONAL SECTION:
> rtp5-ddir-ns.cisco.com. 86400   IN      A       64.102.255.39
> sjce-ddir-ns.cisco.com. 86400   IN      A       128.107.240.86
>
> ;; Query time: 60 msec
> ;; SERVER: 128.107.241.185#53(128.107.241.185)
> ;; WHEN: Tue May 18 14:08:21 2010
> ;; MSG SIZE  rcvd: 133
>
> dnsserver%
>
> This response (from one of the two name servers) has problems.
>
> 1) There is an answer, but without the "aa" (authoritative answer)
>     flag, the response appears to be coming from the cache.
>
> 2) The authority section lists the two nameservers that are
>     authoritative for the zone ftp.cisco.com.
>
> 3) I am not a DNS expert, but with "ra" (recursion available) and
>     "rd" (recursion desired) both set, I would expect my query to
>     recurse to a name server that will return an authoritative answer.
>     Or, since I sent the request to a specific name server, that
>     server would return no answers but a referral to the authoritative
>     name servers.
> ===============================================================
> dnsserver% dig ftp.cisco.com @rtp5-ddir-ns.cisco.com.
>
> ;<<>>  DiG 9.7.0-P1<<>>  ftp.cisco.com @rtp5-ddir-ns.cisco.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13745
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com.                 IN      A
>
> ;; ANSWER SECTION:
> ftp.cisco.com.          60      IN      A       198.133.219.241
>
> ;; Query time: 288 msec
> ;; SERVER: 64.102.255.39#53(64.102.255.39)
> ;; WHEN: Tue May 18 14:08:46 2010
> ;; MSG SIZE  rcvd: 47
>
> dnsserver%
> dnsserver% dig ftp.cisco.com @sjce-ddir-ns.cisco.com.
>
> ;<<>>  DiG 9.7.0-P1<<>>  ftp.cisco.com @sjce-ddir-ns.cisco.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3781
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com.                 IN      A
>
> ;; ANSWER SECTION:
> ftp.cisco.com.          60      IN      A       198.133.219.241
>
> ;; Query time: 219 msec
> ;; SERVER: 128.107.240.86#53(128.107.240.86)
> ;; WHEN: Tue May 18 14:09:12 2010
> ;; MSG SIZE  rcvd: 47
>
> dnsserver%
>
> Here I queried both supposedly authoritative name servers, and
> from each I get a non-authoritative answer.  When I did the same
> query yesterday afternoon, neither of these two name servers was
> accessible.
>
> I assume that with BIND 9.7.0-P1, if the response is not
> authoritative, then BIND will not trust the answer.
> ===============================================================
>
> ----------------------------------------------------------------------
> Barry S. Finkel
> Computing and Information Systems Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
> Building 240, Room 5.B.8             Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4828             IBMMAIL:  I1004994
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>

More information about the bind-users mailing list