Another Question about SERVFAIL
Kevin Darcy
kcd at chrysler.com
Tue May 25 22:09:42 UTC 2010
Cool, it looks like Cisco's Distributed Directors for ftp.cisco.com are
misconfigured as open recursors:
% dig www.sun.com @sjce-ddir-ns.cisco.com
; <<>> DiG 9.3.0 <<>> www.sun.com @sjce-ddir-ns.cisco.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1471
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.sun.com. IN A
;; ANSWER SECTION:
www.sun.com. 300 IN A 137.254.16.57
;; Query time: 98 msec
;; SERVER: 128.107.240.86#53(sjce-ddir-ns.cisco.com)
;; WHEN: Tue May 25 18:03:49 2010
;; MSG SIZE rcvd: 45
%
Way to go, Cisco...
(Sorry if I sound sarcastic, we've been working with Cisco on some
deficiencies in the DNS implementation on their GSS products, and I'm
getting tired of their internal bureaucracy).
- Kevin
On 5/25/2010 4:24 PM, b19141 at anl.gov wrote:
> One of our networking personnel is trying to access
>
> ftp.cisco.com
>
> and is unable to do so from Argonne. He has no problem from home,
> (Comcast). The Comcast DNS servers are
>
> 68.87.72.134
> 68.87.77.134
>
> and report that they are running "Nominum Vantio 4.2.1.0" (about which
> I know very little).
>
> My DNS servers are running BIND 9.7.0-P1. I did some DNS queries here
> and I have made comments after each DNS query.
>
> Are my comments and suppositions correct?
> ===============================================================
> dnsserver% dig ftp.cisco.com
>
> ;<<>> DiG 9.7.0-P1<<>> ftp.cisco.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61726
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com. IN A
>
> ;; Query time: 177 msec
> ;; SERVER: 146.139.254.5#53(146.139.254.5)
> ;; WHEN: Tue May 18 11:01:45 2010
> ;; MSG SIZE rcvd: 31
>
> dnsserver%
>
> Note the SERVFAIL response. BIND detects that something is wrong.
> ===============================================================
> dnsserver% dig cisco.com ns
>
> ;<<>> DiG 9.7.0-P1<<>> cisco.com ns
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52864
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;cisco.com. IN NS
>
> ;; ANSWER SECTION:
> cisco.com. 38065 IN NS ns1.cisco.com.
> cisco.com. 38065 IN NS ns2.cisco.com.
>
> ;; ADDITIONAL SECTION:
> ns1.cisco.com. 2668 IN A 128.107.241.185
> ns2.cisco.com. 2831 IN A 64.102.255.44
>
> ;; Query time: 1 msec
> ;; SERVER: 146.139.254.5#53(146.139.254.5)
> ;; WHEN: Tue May 18 14:08:01 2010
> ;; MSG SIZE rcvd: 95
>
> dnsserver%
>
> There are two authoritative name servers for cisco.com .
> ===============================================================
> dnsserver% dig ftp.cisco.com @ns1.cisco.com.
>
> ;<<>> DiG 9.7.0-P1<<>> ftp.cisco.com @ns1.cisco.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33283
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com. IN A
>
> ;; ANSWER SECTION:
> ftp.cisco.com. 60 IN A 198.133.219.241
>
> ;; AUTHORITY SECTION:
> ftp.cisco.com. 86400 IN NS rtp5-ddir-ns.cisco.com.
> ftp.cisco.com. 86400 IN NS sjce-ddir-ns.cisco.com.
>
> ;; ADDITIONAL SECTION:
> rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39
> sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86
>
> ;; Query time: 60 msec
> ;; SERVER: 128.107.241.185#53(128.107.241.185)
> ;; WHEN: Tue May 18 14:08:21 2010
> ;; MSG SIZE rcvd: 133
>
> dnsserver%
>
> This response (from one of the two name servers) has problems.
>
> 1) There is an answer, but without the "aa" (authoritative answer)
> flag, the response appears to be coming from the cache.
>
> 2) The authority section lists the two nameservers that are
> authoritative for the zone ftp.cisco.com.
>
> 3) I am not a DNS expert, but with "ra" (recursion available) and
> "rd" (recursion desired) both set, I would expect my query to
> recurse to a name server that will return an authoritative answer.
> Or, since I sent the request to a specific name server, that
> server would return no answers but a referral to the authoritative
> name servers.
> ===============================================================
> dnsserver% dig ftp.cisco.com @rtp5-ddir-ns.cisco.com.
>
> ;<<>> DiG 9.7.0-P1<<>> ftp.cisco.com @rtp5-ddir-ns.cisco.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13745
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com. IN A
>
> ;; ANSWER SECTION:
> ftp.cisco.com. 60 IN A 198.133.219.241
>
> ;; Query time: 288 msec
> ;; SERVER: 64.102.255.39#53(64.102.255.39)
> ;; WHEN: Tue May 18 14:08:46 2010
> ;; MSG SIZE rcvd: 47
>
> dnsserver%
> dnsserver% dig ftp.cisco.com @sjce-ddir-ns.cisco.com.
>
> ;<<>> DiG 9.7.0-P1<<>> ftp.cisco.com @sjce-ddir-ns.cisco.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3781
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ftp.cisco.com. IN A
>
> ;; ANSWER SECTION:
> ftp.cisco.com. 60 IN A 198.133.219.241
>
> ;; Query time: 219 msec
> ;; SERVER: 128.107.240.86#53(128.107.240.86)
> ;; WHEN: Tue May 18 14:09:12 2010
> ;; MSG SIZE rcvd: 47
>
> dnsserver%
>
> Here I queried both supposedly authoritative name servers, and
> from each I get a non-authoritative answer. When I did the same
> query yesterday afternoon, neither of these two name servers was
> accessible.
>
> I assume that with BIND 9.7.0-P1, if the response is not
> authoritative, then BIND will not trust the answer.
> ===============================================================
>
> ----------------------------------------------------------------------
> Barry S. Finkel
> Computing and Information Systems Division
> Argonne National Laboratory Phone: +1 (630) 252-7277
> 9700 South Cass Avenue Facsimile:+1 (630) 252-4601
> Building 240, Room 5.B.8 Internet: BSFinkel at anl.gov
> Argonne, IL 60439-4828 IBMMAIL: I1004994
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
More information about the bind-users
mailing list