Help with unresolvable domain (subdomain, actually)
Mike Bernhardt
bernhardt at bart.gov
Tue Mar 1 20:39:45 UTC 2011
For some reason, we can no longer resolve tools.cisco.com. there are several
clues to the problem but I can't put them together. Here is some dig output.
I know that the time stamps don't all match up below, but the results are
typical:
[root at ns1 ~]# dig +trace -b 148.165.3.10 tools.cisco.com
; <<>> DiG 9.4.3-P3 <<>> +trace -b 148.165.3.10 tools.cisco.com
;; global options: printcmd
. 90550 IN NS i.root-servers.net.
. 90550 IN NS h.root-servers.net.
. 90550 IN NS e.root-servers.net.
. 90550 IN NS d.root-servers.net.
. 90550 IN NS j.root-servers.net.
. 90550 IN NS k.root-servers.net.
. 90550 IN NS l.root-servers.net.
. 90550 IN NS g.root-servers.net.
. 90550 IN NS f.root-servers.net.
. 90550 IN NS a.root-servers.net.
. 90550 IN NS m.root-servers.net.
. 90550 IN NS c.root-servers.net.
. 90550 IN NS b.root-servers.net.
;; Received 512 bytes from 148.165.3.10#53(148.165.3.10) in 0 ms
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
;; Received 505 bytes from 198.41.0.4#53(a.root-servers.net) in 13 ms
cisco.com. 172800 IN NS ns1.cisco.com.
cisco.com. 172800 IN NS ns2.cisco.com.
;; Received 101 bytes from 192.54.112.30#53(h.gtld-servers.net) in 154 ms
tools.cisco.com. 86400 IN NS
rcdn9-14p-dcz05n-gss1.cisco.com.
tools.cisco.com. 86400 IN NS rtp5-dmz-gss1.cisco.com.
tools.cisco.com. 86400 IN NS sjck-dmz-gss1.cisco.com.
tools.cisco.com. 86400 IN NS
cax01-bb14-dcz01n-gss1.cisco.com.
;; Received 226 bytes from 64.102.255.44#53(ns2.cisco.com) in 75 ms
;; Received 33 bytes from 72.163.4.28#53(rcdn9-14p-dcz05n-gss1.cisco.com) in
47 ms
Now, focusing in on rtp5-dmz-gss1.cisco.com for further analysis (just
picked it out of the group):
[root at ns1 ~]# dig -b 148.165.3.10 @rtp5-dmz-gss1.cisco.com tools.cisco.com
; <<>> DiG 9.4.3-P3 <<>> -b 148.165.3.10 @rtp5-dmz-gss1.cisco.com
tools.cisco.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5165
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;tools.cisco.com. IN A
;; Query time: 75 msec
;; SERVER: 64.102.246.5#53(64.102.246.5)
;; WHEN: Tue Mar 1 12:22:57 2011
;; MSG SIZE rcvd: 33
Here is the output of tcpdump on my server, querying the same server via
nslookup elsewhere:
[root at ns1 ~]# tcpdump host -i bond0 64.102.246.5 -n -p -vvv
tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 96
bytes
12:14:53.373614 IP (tos 0x0, ttl 64, id 45237, offset 0, flags [none],
proto: UDP (17), length: 61) 148.165.3.10.18673 > 64.102.246.5.domain: [bad
udp cksum a78b!] 26095 A? tools.cisco.com. (33)
12:14:53.455684 IP (tos 0x0, ttl 54, id 7623, offset 0, flags [DF], proto:
UDP (17), length: 61) 64.102.246.5.domain > 148.165.3.10.18673: [udp sum ok]
26095 ServFail- q: A? tools.cisco.com. 0/0/0 (33)
Lastly, I see on our firewall log that we have a Checkpoint Smart Defense
log entry due to it's belief that Cisco is sending us a malformed query
packet, and it's being dropped. I don't know why they're sending the query
in the first place.
Number: 2595791
Date: 1Mar2011
Time: 12:22:53
Type: Log
Action: Drop
Service: domain-udp (53)
Source Port: domain-udp
Source: rtp5-dmz-gss1.cisco.com
Destination: ns
Protocol: udp
Information: Packet info: Packet data size: 28
Attack: Malformed Packet
Attack Information: UDP length error
Any ideas as to where the problem lies so I can pursue it further?
More information about the bind-users
mailing list