DNS - also off topic?? :)
Jeff LaCoursiere
jeff at jeff.net
Mon Sep 9 15:32:45 BST 2002
Fair enough - I don't actually see any reason for hiding them, so:
A A record exists: desc.prod.t-motion.co.uk
t-motion.co.uk is served by Nextra in Manchester, and I have some
authority over it. The root servers have the correct name servers listed
for t-motion.co.uk:
> server NS1.NIC.uk
Default Server: NS1.NIC.uk
Address: 195.66.240.130
> t-motion.co.uk.
Server: NS1.NIC.uk
Address: 195.66.240.130
Name: t-motion.co.uk
Served by:
- ns0.xtml.co.uk
195.226.32.20
t-motion.co.uk
- gold.compulink.co.uk
194.153.1.10
t-motion.co.uk
The SOA for the zone in those servers:
> set type=soa
> server ns0.xtml.co.uk
Default Server: ns0.xtml.co.uk
Address: 195.226.32.20
> t-motion.co.uk.
Server: ns0.xtml.co.uk
Address: 195.226.32.20
t-motion.co.uk
origin = ns0.xtml.co.uk
mail addr = dns.xtml.net
serial = 2002090901
refresh = 1800 (30M)
retry = 3600 (1H)
expire = 604800 (1W)
minimum ttl = 1800 (30M)
ns0.xtml.co.uk internet address = 195.226.32.20
and...
> server gold.compulink.co.uk
Default Server: gold.compulink.co.uk
Address: 194.153.1.10
> set type=soa
> t-motion.co.uk.
Server: gold.compulink.co.uk
Address: 194.153.1.10
t-motion.co.uk
origin = ns0.xtml.co.uk
mail addr = dns.xtml.net
serial = 2002090901
refresh = 1800 (30M)
retry = 3600 (1H)
expire = 604800 (1W)
minimum ttl = 1800 (30M)
t-motion.co.uk nameserver = ns0.xtml.co.uk
t-motion.co.uk nameserver = gold.compulink.co.uk
t-motion.co.uk nameserver = nettest.jeff.net
ns0.xtml.co.uk internet address = 195.226.32.20
gold.compulink.co.uk internet address = 194.153.1.10
>
Looks fine. Finally, the lookup:
> set type=a
> desc.prod.t-motion.co.uk.
Server: gold.compulink.co.uk
Address: 194.153.1.10
Name: desc.prod.t-motion.co.uk
Address: 62.159.102.105
As this is the secondary and they both show the same serial in the SOA, I
will assume that the master has the same A record. This all looks fine.
Now there exists also a CNAME www.online.t-mobile.de which points to
desc.prod.t-motion.co.uk. This is on a server NOT under my control:
> server DNS.DENIC.de
Default Server: DNS.DENIC.de
Address: 194.246.96.79
> t-mobile.de.
Server: DNS.DENIC.de
Address: 194.246.96.79
Name: t-mobile.de
Served by:
- support.mesch.dtag.de
t-mobile.de
- pns.dtag.de
194.25.0.125
t-mobile.de
- techfac.techfak.uni-bielefeld.de
t-mobile.de
The first strange thing is the support.mesch.dtag.de is not reachable from
the Internet. I have asked them to either 1) make it accessible or
2) remove it from the NIC. But this doesn't matter for the current
problem :)
If I ask pns.dtag.de to resolve the CNAME I get:
> server pns.dtag.de
Default Server: pns.dtag.de
Address: 194.25.0.125
> www.online.t-mobile.de.
Server: pns.dtag.de
Address: 194.25.0.125
*** pns.dtag.de can't find www.online.t-mobile.de.: Non-existent
host/domain
> set type=cname
> www.online.t-mobile.de
Server: pns.dtag.de
Address: 194.25.0.125
www.online.t-mobile.de canonical name = desc.prod.t-motion.co.uk
t-mobile.de nameserver = pns.dtag.de
t-mobile.de nameserver = support.mesch.dtag.de
t-mobile.de nameserver = techfac.TechFak.Uni-Bielefeld.de
pns.dtag.de internet address = 194.25.0.125
support.mesch.dtag.de internet address = 193.158.123.70
techfac.TechFak.Uni-Bielefeld.de internet address = 129.70.132.100
And if I try the t-motion address:
> set type=a
> desc.prod.t-motion.co.uk.
Server: pns.dtag.de
Address: 194.25.0.125
*** pns.dtag.de can't find desc.prod.t-motion.co.uk.: Non-existent
host/domain
And for grins, I try for an SOA:
> set type=soa
> t-motion.co.uk.
Server: pns.dtag.de
Address: 194.25.0.125
t-motion.co.uk
origin = support.mesch.dtag.de
mail addr = root.tcommerce.de
serial = 2001011212
refresh = 21600 (6H)
retry = 3600 (1H)
expire = 3600000 (5w6d16h)
minimum ttl = 86400 (1D)
t-motion.co.uk nameserver = support.mesch.dtag.de
t-motion.co.uk nameserver = pns.dtag.de
t-motion.co.uk nameserver = techfac.TechFak.Uni-Bielefeld.de
support.mesch.dtag.de internet address = 193.158.123.70
pns.dtag.de internet address = 194.25.0.125
techfac.TechFak.Uni-Bielefeld.de internet address = 129.70.132.100
Here we realize they have their OWN zone for t-motion.co.uk. So when I
ask for the CNAME it must do a recursive query to itself, and since their
zone doesn't have my A record in it, I get host unknown.
All of this is understandable.
Now enter my internal name server in London. He cannot lookup the CNAME
record either, but that is fine. What I don't understand is why he cannot
lookup anything in the t-motion.co.uk domain. I would paste in examples,
but we restarted it and now it is working. Previous to restarting if you
asked it to resolve an SOA record for t-motion.co.uk it would give you the
SOA above, from Germany.
So do SOA records get cached just like A records? If you look up a record
in a domain and you get back an SOA header as part of the response, will
that effect future lookups from that domain?
We have at this point decided that one of the name servers in our
forwarders list was the actual culprit - that he had this stuff cached and
was the source of our poisoning.
Sorry - now that I have spent the time to get this all out I realize it is
not as big a mystery as it was this morning. Perhaps it is interesting
reading if nothing else :)
j
On Mon, 9 Sep 2002, Ian MacDonald wrote:
> If you give us the actual zone files then it will make it easier to
> problem solve it. If not you might want to try what the root name
> servers think the authoritative servers for your domain foo.com or
> whatever it really is.
>
> Ian.
>
> -----Original Message-----
> From: Jeff LaCoursiere [mailto:jeff at jeff.net]
> Sent: 09 September 2002 13:51
> To: freebsd-users at uk.freebsd.org
> Subject: DNS - also off topic?? :)
>
>
>
> Hi all,
>
> I am once again confused by a DNS issue. Thanks to all who responded to
> my query about TTLs when CNAMEs are in use. Let me see if I can
> describe
> the situation.
>
> A remote site has a number of DNS servers, none of which I have access
> to
> other than queries. These DNS servers are authoritative (master and
> several secondaries) for domain foo.com. Inside foo.com is a CNAME
> record
> (server.foo.com) pointing to a record in bar.com (server.bar.com), which
> is registered with the NIC to be managed by MY name servers.
>
> My name servers are authoritative (master and several secondaries) for
> bar.com, and inside is an A record (server.bar.com), pointed at by the
> CNAME in foo.com.
>
> All of this is very normal, and for most sites out on the net a lookup
> of
> server.foo.com gives you the IP of server.bar.com. Happiness.
>
> Now take one of my internal name servers. It is NOT authoritative for
> foo.com OR bar.com, and has forwarders for Internet lookups to external
> name servers managed by our ISP. When I try to lookup server.bar.com I
> get "NX domain - no such host". Even worse, when I try to lookup
> server.foo.com I get the same thing.
>
> Debugging this I discovered that the servers that are authoritative for
> bar.com (out of my control) actually have a zone file for foo.com. I
> guess this, actually, as when I dig directly to their name server and
> request the SOA record for foo.com I get back an SOA listing their name
> servers as authoritative, and a completely different set of SOA options
> than what we are managing on our servers. If I ask this server to
> resolve
> server.foo.com it returns "host unknown". It goes without saying that
> this is wrong, and that they need to delete the zone. What confuses me
> is
> this error seems to have poisoned my internal name server somehow, and I
> don't understand why.
>
> My internal name server, not authoritative for either foo.com or bar.com
> cannot lookup any valid records in foo.com. With tcpdump I can see that
> it actually asks the bar.com server instead of my authoritative
> servers. I can understand that asking for server.bar.com would
> recursively cause the foo.com lookup in the bar.com server (and fail
> becuase of the extra zone), but why if I ask for foo.com records
> directly?
>
> How can this happen??
>
> Hope this made some amount of sense :)
>
> Jeff LaCoursiere
> Infrastructure Specialist
> T-Motion
>
>
>
> ------ FreeBSD UK Users' Group - Mailing List ------
> http://listserver.uk.freebsd.org/mailman/listinfo/freebsd-users
>
More information about the Ukfreebsd
mailing list