different behavior: A Records in DNS answer, when query of type"any" (existing CNAME)

Taylor, Gord gord.taylor at rbc.com
Mon Mar 7 15:33:51 UTC 2011 

AFAIK, there is no way to make BIND do that... Your example of google is
sort of unique though. Google writes their own DNS (see their FAQ
http://code.google.com/speed/public-dns/faq.html
<http://code.google.com/speed/public-dns/faq.html> ), so they are a
niche product. 
 
I've seen instances where any DNS server type I query (BIND, DJB,
Microsoft, etc) all return a SERVFAIL, but google returns a response.
They have a very interesting DNS server which seems much more
"forgiving" than other DNS servers. This may have other implications
(security) implicatoins which have yet to be seen - on the other hand,
they may have simply written a great product.
 
________________________________

From: bind-users-bounces+gord.taylor=rbc.com at lists.isc.org
[mailto:bind-users-bounces+gord.taylor=rbc.com at lists.isc.org] On Behalf
Of Diezig Adrian
Sent: 2011, March, 07 6:36 AM
To: bind-users at lists.isc.org
Subject: different behavior: A Records in DNS answer, when query of
type"any" (existing CNAME)



Hi,

 

I have a question concerning answers from DNS servers, when I query a
name with type "any" and the name is a CNAME.

I have the following example (works also in Internet) with an ISC BIND
server (BIND 9.7.0-P1):

 

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @newton.genesiscom.ch
dns.ipam.ch

; (1 server found)

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25078

;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;dns.ipam.ch.                   IN      A

 

;; ANSWER SECTION:

dns.ipam.ch.            600     IN      CNAME   www.ipam.ch.

www.ipam.ch.            600     IN      A       81.18.25.238

 

;; Query time: 1 msec

;; SERVER: 10.10.3.13#53(10.10.3.13)

;; WHEN: Mon Mar  7 11:52:38 2011

;; MSG SIZE  rcvd: 63

 

 

As you can see, we have a CNAME dns.ipam.ch that points to www.ipam.ch.

www.ipam.ch is an A-Record to 81.18.25.238.

 

 

When I do the following query (type=any to dns.ipam.ch), only the CNAME
itself will be in the answer section (the A-Record not):

 

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @newton.genesiscom.ch
dns.ipam.ch any

; (1 server found)

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46532

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;dns.ipam.ch.                   IN      ANY

 

;; ANSWER SECTION:

dns.ipam.ch.            600     IN      CNAME   www.ipam.ch.

 

;; Query time: 1 msec

;; SERVER: 10.10.3.13#53(10.10.3.13)

;; WHEN: Mon Mar  7 11:53:21 2011

;; MSG SIZE  rcvd: 47

 

 

 

 

When I do a comparable query (also with type=any) to another DNS Server
(eg. google.com)....

 

; <<>> DiG 9.3.2 <<>> @ns1.google.com. www.google.com. any

; (1 server found)

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1636

;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;www.google.com.                        IN      ANY

 

;; ANSWER SECTION:

www.google.com.         604800  IN      CNAME   www.l.google.com.

www.l.google.com.       300     IN      A       74.125.232.114

www.l.google.com.       300     IN      A       74.125.232.115

www.l.google.com.       300     IN      A       74.125.232.116

www.l.google.com.       300     IN      A       74.125.232.113

www.l.google.com.       300     IN      A       74.125.232.112

 

;; Query time: 46 msec

;; SERVER: 216.239.32.10#53(216.239.32.10)

;; WHEN: Mon Mar 07 09:44:32 2011

;; MSG SIZE  rcvd: 132

 

 

... I will get also the associated A Records. 

Does anybody have an idea, why the behavior is different? Can I
configure this on my DNS Server (ISC BIND)?

 

FYI:

dig @ns1.hp.com. www.hp.com. any

and

dig @ns1.yahoo.com. www.yahoo.com any

 

will also answer without any A-Records (like me).

 

I have the following questions:

-          which one is correct (RFC)?

-          is it configurable in ISC BIND?

-          does the behavior depends on different BIND version?

 

I know that it is not very common to do queries with type any. The
problem we have is the following:

A Device/Application in our network is doing always queries from type
"any". 

From our side it's not possible to change the type, because it's
hard-coded in the software.

 

Kind regards

 

Adrian

 

 

 

 

_______________________________________________________________________

This e-mail may be privileged and/or confidential, and the sender does not waive
any related rights and obligations. Any distribution, use or copying of this e-mail or the information
it contains by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.

Ce courriel peut contenir des renseignements protégés et confidentiels.
L’expéditeur ne renonce pas aux droits et obligations qui s’y rapportent.
Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu’il contient
par une personne autre que le destinataire désigné est interdite.
Si vous recevez ce courriel par erreur, veuillez m’en aviser immédiatement, 
par retour de courriel ou par un autre moyen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110307/bc007048/attachment.html>

More information about the bind-users mailing list