dns blacklist?
Sten Carlsen
stenc at s-carlsen.dk
Thu Jul 26 09:53:54 UTC 2012
Hello
How will this work if you use e.g.-t a?
dig -t any will show the content of the local cache, so this just means
your cache is empty.
On 26/07/12 11:28, Pavel Urban wrote:
> Hello,
>
> one of our customers asked us to take a look at strange problem. One
> address seems to 'work' in Germany, but not here. So I've tried it and
> found this:
>
> [pupu at aphrael ~]$ dig www.thomascook.de -t any
>
> ; <<>> DiG 9.9.1-P1-RedHat-9.9.1-2.P1.fc17 <<>> www.thomascook.de -t any
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23750
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1280
> ;; QUESTION SECTION:
> ;www.thomascook.de. IN ANY
>
> ;; ANSWER SECTION:
> www.thomascook.de. 600 IN CNAME
> www.thomascook.de.nsatc.net.
>
> ;; ADDITIONAL SECTION:
> www.thomascook.de.nsatc.net. 300 IN A 127.0.0.2
>
> ;; Query time: 75 msec
> ;; SERVER: 192.168.96.11#53(192.168.96.11)
> ;; WHEN: Thu Jul 26 11:10:41 2012
> ;; MSG SIZE rcvd: 103
>
> Well, that probably 'doesn't work', but it shouldn't work worldwide.
> The strange thing appears when I try to ask differently. First, I
> check authorities for this address.
>
> [root at hactar ~]# dig www.thomascook.de -t any +trace
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> www.thomascook.de
> -t any +trace
> ;; global options: +cmd
> . 449874 IN NS j.root-servers.net.
> . 449874 IN NS k.root-servers.net.
> . 449874 IN NS l.root-servers.net.
> . 449874 IN NS m.root-servers.net.
> . 449874 IN NS a.root-servers.net.
> . 449874 IN NS b.root-servers.net.
> . 449874 IN NS c.root-servers.net.
> . 449874 IN NS d.root-servers.net.
> . 449874 IN NS e.root-servers.net.
> . 449874 IN NS f.root-servers.net.
> . 449874 IN NS g.root-servers.net.
> . 449874 IN NS h.root-servers.net.
> . 449874 IN NS i.root-servers.net.
> ;; Received 512 bytes from 212.24.128.8#53(212.24.128.8) in 2882 ms
>
> de. 172800 IN NS a.nic.de.
> de. 172800 IN NS f.nic.de.
> de. 172800 IN NS l.de.net.
> de. 172800 IN NS n.de.net.
> de. 172800 IN NS s.de.net.
> de. 172800 IN NS z.nic.de.
> ;; Received 349 bytes from 198.41.0.4#53(198.41.0.4) in 1294 ms
>
> thomascook.de. 86400 IN NS koeln.nic.xlink.net.
> thomascook.de. 86400 IN NS frankfurt.nic.xlink.net.
> ;; Received 105 bytes from 2001:678:2::53#53(2001:678:2::53) in 515 ms
>
> www.thomascook.de. 600 IN CNAME
> www.thomascook.de.nsatc.net.
> thomascook.de. 1800 IN NS frankfurt.nic.xlink.net.
> thomascook.de. 1800 IN NS koeln.nic.xlink.net.
> ;; Received 162 bytes from 193.141.43.129#53(193.141.43.129) in 37 ms
>
> ...and then I try to ask them.
>
> [root at hactar ~]# dig @koeln.nic.xlink.net www.thomascook.de.nsatc.net
> -t any
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>>
> @koeln.nic.xlink.net www.thomascook.de.nsatc.net -t any
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28421
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
>
> ;; QUESTION SECTION:
> ;www.thomascook.de.nsatc.net. IN ANY
>
> ;; ANSWER SECTION:
> www.thomascook.de.nsatc.net. 300 IN A 87.124.38.165
>
> ;; AUTHORITY SECTION:
> nsatc.net. 172800 IN NS uk-2.ns.nsatc.net.
> nsatc.net. 172800 IN NS de-6.ns.nsatc.net.
> nsatc.net. 172800 IN NS b.ns.nsatc.net.
> nsatc.net. 172800 IN NS it-1.ns.nsatc.net.
> nsatc.net. 172800 IN NS e.ns.nsatc.net.
>
> ;; ADDITIONAL SECTION:
> uk-2.ns.nsatc.net. 172800 IN A 8.12.199.51
> de-6.ns.nsatc.net. 172800 IN A 213.200.97.117
> b.ns.nsatc.net. 172800 IN A 207.123.33.51
> it-1.ns.nsatc.net. 172800 IN A 8.12.209.47
> e.ns.nsatc.net. 172800 IN A 212.187.162.134
>
> ;; Query time: 36 msec
> ;; SERVER: 194.120.12.245#53(194.120.12.245)
> ;; WHEN: Thu Jul 26 11:19:36 2012
> ;; MSG SIZE rcvd: 233
>
> My guess is that ISP for thomascook.de tried to fool...err, fix the
> problem for his customer by adding some extra zones to his resolvers.
> My questions are - 'how is this supposed to work?' and 'it this kind
> of dns blacklisting common?'
>
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120726/28d6ce5b/attachment.html>
More information about the bind-users
mailing list