No subject


Tue Apr 2 00:56:56 UTC 2013 

of it that blocks all query packets with the RD (Recursion Desired) bit
set. Non-recursive queries seem to work fine, but recursive queries are
getting dropped.

A version query shows 9.4.2 (unpatched), so maybe this is an awkward
attempt to protect themselves against the Kaminsky attack.

If the firewall is doing this to your customer as well, and he/she is
trying to use 211.148.192.137 as a recursive resolver, that's going to
be a problem...

- Kevin

Ken Lai wrote:
> Hi,
> yesterday one of our customer complain cannot resolve the
> *www.zaobao.com, *the dns server he used is 211.148.192.137. so i trace
> it and get:
> ken at ken-laptop ~ $ dig @211.148.192.137 www.zaobao.com +trace
>
> ; <<>> DiG 9.4.2-P1 <<>> @211.148.192.137 www.zaobao.com +trace
> ; (1 server found)
> ;; global options: printcmd
> . 481468 IN NS C.ROOT-SERVERS.NET.
> . 481468 IN NS A.ROOT-SERVERS.NET.
> . 481468 IN NS J.ROOT-SERVERS.NET.
> . 481468 IN NS B.ROOT-SERVERS.NET.
> . 481468 IN NS G.ROOT-SERVERS.NET.
> . 481468 IN NS L.ROOT-SERVERS.NET.
> . 481468 IN NS E.ROOT-SERVERS.NET.
> . 481468 IN NS M.ROOT-SERVERS.NET.
> . 481468 IN NS H.ROOT-SERVERS.NET.
> . 481468 IN NS I.ROOT-SERVERS.NET.
> . 481468 IN NS D.ROOT-SERVERS.NET.
> . 481468 IN NS K.ROOT-SERVERS.NET.
> . 481468 IN NS F.ROOT-SERVERS.NET.
> ;; Received 500 bytes from 211.148.192.137#53(211.148.192.137) in 11 ms
>
> com. 172800 IN NS B.GTLD-SERVERS.NET.
> com. 172800 IN NS C.GTLD-SERVERS.NET.
> com. 172800 IN NS D.GTLD-SERVERS.NET.
> com. 172800 IN NS E.GTLD-SERVERS.NET.
> com. 172800 IN NS F.GTLD-SERVERS.NET.
> com. 172800 IN NS G.GTLD-SERVERS.NET.
> com. 172800 IN NS H.GTLD-SERVERS.NET.
> com. 172800 IN NS I.GTLD-SERVERS.NET.
> com. 172800 IN NS J.GTLD-SERVERS.NET.
> com. 172800 IN NS K.GTLD-SERVERS.NET.
> com. 172800 IN NS L.GTLD-SERVERS.NET.
> com. 172800 IN NS M.GTLD-SERVERS.NET.
> com. 172800 IN NS A.GTLD-SERVERS.NET.
> ;; Received 504 bytes from 198.41.0.4#53(A.ROOT-SERVERS.NET) in 278 ms
>
> zaobao.com. 172800 IN NS ns1.asia1.com.sg.
> zaobao.com. 172800 IN NS ns2.asia1.com.sg.
> ;; Received 80 bytes from 192.52.178.30#53(K.GTLD-SERVERS.NET) in 346 ms
>
> www.zaobao.com. 360 IN CNAME zaobao.com.edgesuite.net.
> zaobao.com.edgesuite.net. 9033 IN CNAME a1868.g.akamai.net.
> g.akamai.net. 289 IN NS n4g.akamai.net.
> g.akamai.net. 289 IN NS n6g.akamai.net.
> g.akamai.net. 289 IN NS n2g.akamai.net.
> g.akamai.net. 289 IN NS n8g.akamai.net.
> g.akamai.net. 289 IN NS n3g.akamai.net.
> g.akamai.net. 289 IN NS n5g.akamai.net.
> g.akamai.net. 289 IN NS n0g.akamai.net.
> g.akamai.net. 289 IN NS n1g.akamai.net.
> g.akamai.net. 289 IN NS n7g.akamai.net.
> ;; Received 405 bytes from 202.27.17.253#53(ns1.asia1.com.sg) in 96 ms
>
> but i get this also:
>
> ken at ken-laptop ~ $ dig @211.148.192.137 www.zaobao.com
>
> ; <<>> DiG 9.4.2-P1 <<>> @211.148.192.137 www.zaobao.com
> ; (1 server found)
> ;; global options: printcmd
> ;; connection timed out; no servers could be reached
>
> could anyone guide me, thx
>
>
>
>

More information about the bind-users mailing list