dubious cache entry
Veaceslav Revutchi
slavarevutchi at gmail.com
Sat Jan 11 17:11:06 UTC 2014
A couple of days ago I received complaints from users that they could not
open netaddress.com for their email.
The caching resolver would return SrvFail for the name. After digging
through its cache I discovered the following entries:
------------------------------------------------------------------------
; glue
netaddress.com. 36518 NS ns1.51dns.com.
36518 NS ns2.51dns.com.
; glue
ns1.51dns.com. 86296 A 117.25.132.130
86296 A 117.25.132.162
86296 A 121.12.104.18
86296 A 121.12.104.19
86296 A 121.12.104.20
86296 A 121.12.104.21
; authanswer
ns2.51dns.com. 587 A 117.25.132.131
587 A 117.25.132.163
587 A 121.12.104.22
587 A 121.12.104.23
587 A 121.12.104.24
587 A 121.12.104.25
----------------------------------------------------------------------
Digging for the answer manually from the top produced a different set of NS
records, all under .usa.net which is what I expected.
This looks like a cache poisoning case, but what's strange is that none of
the ns(1|2).51dns.com IPs above are responding to dns queries. May be they
are setup to just record queries.
Any ideas on how these bogus NS records might ended up being associated
with netaddress.com in my cache?
The version of bind is 9.7.0-P2-RedHat-9.7.0-10.P2.el5_8.3. After purging
the name from cache the server went out and got the correct records and
started answering again.
Thank you,
Slava
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140111/210af4b2/attachment.html>
More information about the bind-users
mailing list