Strange DNS Behaviour
Hi, Could someone kindly explain what is happening? I don't have domain name kemira.kemira.com anywhere in my primary database (and all secondaries, too) kemira.com = 137.33.1.2 I have doublechecked the master database and secondaries. I have restarted both of them, but nothing seems to help. In funet.fi (master for fi-domain) when I start named and query kemira.kemira.com for the first time, it looks like this: == datagram from 130.230.1.1 port 1536, fd 7, len 44 req: nlookup(kemira.kemira.com.funet.fi) id 1 type=1 req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0) findns: SOA found req: leaving (kemira.kemira.com.funet.fi, rcode 3) req: answer - 130.230.1.1 9 (1536) id=1 Local datagram from 130.230.1.1 port 1537, fd 7, len 44 req: nlookup(kemira.kemira.com.funet.fi) id 2 type=15 req: found 'kemira.kemira.com.funet.fi' as 'funet.fi' (cname=0) findns: SOA found req: leaving (kemira.kemira.com.funet.fi, rcode 3) req: answer - 130.230.1.1 9 (1537) id=2 Local datagram from 130.230.1.1 port 1538, fd 7, len 35 req: nlookup(kemira.kemira.com) id 3 type=1 req: found 'kemira.kemira.com' as 'com' (cname=0) findns: using cache findns: 7 NS's added for '' ns_forw() nslookup(nsp=xf7fff1e0,qp=x55000) nslookup: NS NS.NIC.DDN.MIL c1 t2 (x0) nslookup: 1 ns addrs nslookup: NS AOS.BRL.MIL c1 t2 (x0) nslookup: 4 ns addrs nslookup: NS KAVA.NISC.SRI.COM c1 t2 (x0) nslookup: 5 ns addrs nslookup: NS C.NYSER.NET c1 t2 (x0) nslookup: 6 ns addrs nslookup: NS TERP.UMD.EDU c1 t2 (x0) nslookup: 7 ns addrs nslookup: NS NS.NASA.GOV c1 t2 (x0) nslookup: 9 ns addrs nslookup: NS NIC.NORDU.NET c1 t2 (x0) nslookup: 10 ns addrs total forw: forw - 192.33.4.12 7 (53) nsid=5 id=3 0ms retry 4 sec and a bit later: datagram from 192.33.4.12 port 53, fd 7, len 186 USER response nsid=5 id=3 stime 712944912/687743 now 712944912/887742 rtt 199 NS #0 addr 192.33.4.12 used, rtt 199 NS #1 128.63.4.82 rtt now 0 NS #2 26.3.0.29 rtt now 0 NS #3 192.5.25.82 rtt now 0 NS #4 192.33.33.24 rtt now 0 NS #5 128.8.10.90 rtt now 0 NS #6 192.52.195.10 rtt now 0 NS #7 128.102.16.10 rtt now 0 NS #8 192.36.148.17 rtt now 0 NS #9 192.112.36.4 rtt now 401 resp: ancount 1, aucount 3, arcount 3 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname kemira.kemira.com type 1 class 1 ttl 172800 db_update(kemira.kemira.com, 0x554b8, 0x554b8, 031, 0x44ca0) db_update: adding 554b8 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800 db_update(KEMIRA.COM, 0x55580, 0x55580, 031, 0x44ca0) db_update: adding 55580 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800 db_update(KEMIRA.COM, 0x555b8, 0x555b8, 031, 0x44ca0) db_update: adding 555b8 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.COM type 2 class 1 ttl 172800 db_update(KEMIRA.COM, 0x555f0, 0x555f0, 031, 0x44ca0) db_update: adding 555f0 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname KEMIRA.KEMIRA.COM type 1 class 1 ttl 172800 db_update(KEMIRA.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0) db_update: new ttl 713117712, +172800 update failed (DATAEXISTS) doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname HYDRA.HELSINKI.FI type 1 class 1 ttl 518400 db_update(HYDRA.HELSINKI.FI, 0x55630, 0x55630, 031, 0x44ca0) 192.33.4.12 attempted update to auth zone 1 'fi' update failed (-10) doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname HKIUX9.FIN.KEMIRA.COM type 1 class 1 ttl 172800 db_update(HKIUX9.FIN.KEMIRA.COM, 0x55630, 0x55630, 031, 0x44ca0) db_update: adding 55630 resp: got as much answer as there is send_msg - 130.230.1.1 (UDP 9 1538) id=3 datagram from 130.230.1.1 port 1539, fd 7, len 35 req: nlookup(kemira.kemira.com) id 4 type=15 datagram from 130.230.1.1 port 1539, fd 7, len 35 req: nlookup(kemira.kemira.com) id 4 type=15 req: found 'kemira.kemira.com' as 'kemira.kemira.com' (cname=0) finddata: added 0 class 1 type 15 RRs findns: 3 NS's added for 'kemira' ns_forw() nslookup(nsp=xf7fff1e0,qp=x55000) nslookup: NS KEMIRA.KEMIRA.COM c1 t2 (x0) nslookup: 1 ns addrs nslookup: NS HYDRA.HELSINKI.FI c1 t2 (x0) nslookup: 2 ns addrs nslookup: NS HKIUX9.FIN.KEMIRA.COM c1 t2 (x0) nslookup: 3 ns addrs nslookup: 3 ns addrs total forw: forw - 137.33.1.2 7 (53) nsid=7 id=4 0ms retry 4 sec datagram from 137.33.1.2 port 53, fd 7, len 92 USER response nsid=7 id=4 stime 712944912/917744 now 712944912/967742 rtt 49 NS #0 addr 137.33.1.2 used, rtt 49 NS #1 128.214.4.29 rtt now 0 NS #2 137.33.1.9 rtt now 0 resp: ancount 0, aucount 1, arcount 0 doupdate(zone 0, savens f7ffe9d0, flags 19) doupdate: dname kemira.com type 6 class 1 ttl 3600 db_update(kemira.com, 0x556f8, 0x556f8, 031, 0x44ca0) db_update: adding 556f8 resp: leaving auth NO send_msg - 130.230.1.1 (UDP 9 1539) id=4 = Kindly advice! Many Thanks, Ashish Please do not print this email unless it is absolutely
RE: Caching-only Name server does Zone Updates
Hi Barry, Thank you for your reply. There was a reverse lookup done as per the Debug content. We have 4 Name servers so there should be 4 response containing NS records in the Authority Section and the corresponding A records in the Additional Section. But we have thousands of statement like Db_update Match in the Debug file. Kindly advice. Kind Regards, Ashish -Original Message- Date: Tue, 03 Feb 2009 03:42:32 -0500 From: Barry Margolin bar...@alum.mit.edu Subject: Re: Caching-only Name server does Zone Updates To: comp-protocols-dns-b...@isc.org Message-ID: barmar-900c8b.03423203022...@mara100-84.onlink.net In article gm8o6b$1va...@sf1.isc.org, Ashish ashish@wipro.com wrote: Thank you Mark, Doupdate is followed by lot of statements like Db_update Match Please see the content below. = Doupdate(zone 0, savens x, flags y) Doupdate: dname 21.in-addr.arpa type 6 class 1 ttl 600 Db_update(21.in-addr.arpa, 0x12345, 0x56789, 087, 0x76543) match(0x9b430, 1, 6) 1, 6 db_update: flags = 0x19, sizes = 71, 71 (1) match(0x9123v, 1, 6) 1, 6 db_update: flags = 0x19, sizes = 71, 71 (1) match(0x9sd33, 1, 6) 1, 6 db_update: flags = 0x19, sizes = 71, 71 (1) match(0xdg6d8, 1, 6) 1, 6 db_update: flags = 0x19, sizes = 71, 71 (1) match(0x6abde, 1, 6) 1, 6 == Please correct me if I am wrong, I thought that for cache update it should update only one record. So why so many updates are been made. The response probably contained NS records in the Authority Section and the corresponding A records in the Additional Section. These update the cache as well. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Caching-only Name server does Zone Updates
Hello All, Thank you for your replies. Our configuration file is fairly simple (I have changed the domain name for security). domain example.group.net cache ./etc/dnscache We use BIND 4. Actually our DNS was doing lot of CPU utilization and when we started it in Debug mode we found that there was a reverse lookup for some IP address which was in the dnscache file. (dnscache is the root hint file) This started zone updates, as we can observe in the debug file which calls function db_update() Here is the debug file content (I have modified the IP address for security reasons. Here 21.x.x.x is one of the entries in dnscache file. I mean that there was a network address starting with 21 in our dnscache file) dgram from 1.2.3.4, 2 () ns_req() req: nlookup(5.6.7.21.in-addr.arpa) id 111 type=11 req: found '5.6.7.21.in-addr.arpa' as '21.in-addr.arpa' (cname=0) findns: np 0x6b41e findns: 2 NS's added for '21' ns_forw() qnew(x45gte8) nslookup(nsp=x2433d,qp=xfdgfv4) nslookup: NS server01.example.grp.net c1 t2 (x0) nslookup: 1 ns addrs nslookup: NS cerver01.example.grp.net c1 t2 (x0) nslookup: 2 ns addrs nslookup: 2 ns addrs total retrytime: nstime 0ms. schedretry(0x1dfd8, 4sec) Dgram from 21.x.x.x Ns_req() Qfindid(12345) USER response nsid= id Respose from upexpected source 21.x.x.x Stime z/z now yy/yy rtt x NS #2 addr 21.x.x.x used rtt y NS #1 21.x.x.x rtt now z Resp: ancount 0, aucount 1, arcount 0 Doupdate(zone 0, savens x, flags y) Doupdate: dname 21.in-addr.arpa type 6 class 1 ttl 600 Db_update(21.in-addr.arpa, 0x12345, 0x56789, 087, 0x76543) This is strange, there was NSLOOKUP for some IP 5.6.7.21 which caused zone updates and we do not have any zone specified in our configuration file. Kindly advice Thanks Ashish -Original Message- From: Niall O'Reilly [mailto:niall.orei...@ucd.ie] Sent: Monday, February 02, 2009 7:50 PM To: Ashish Cc: bind-users@lists.isc.org; niall.orei...@ucd.ie Subject: Re: Caching-only Name server does Zone Updates On Mon, 2009-02-02 at 17:25 +0530, Ashish wrote: Our DNS is configured as Caching-only Name server. How do you know? However, it's still performing Zone updates like a Slave Name Server. How many 'zone' sections are in your configuration? Why not post your configuration file to the list, so that we can see? /Niall Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Caching-only Name server does Zone Updates
Thank you Mark, Doupdate is followed by lot of statements like Db_update Match Please see the content below. = Doupdate(zone 0, savens x, flags y) Doupdate: dname 21.in-addr.arpa type 6 class 1 ttl 600 Db_update(21.in-addr.arpa, 0x12345, 0x56789, 087, 0x76543) match(0x9b430, 1, 6) 1, 6 db_update: flags = 0x19, sizes = 71, 71 (1) match(0x9123v, 1, 6) 1, 6 db_update: flags = 0x19, sizes = 71, 71 (1) match(0x9sd33, 1, 6) 1, 6 db_update: flags = 0x19, sizes = 71, 71 (1) match(0xdg6d8, 1, 6) 1, 6 db_update: flags = 0x19, sizes = 71, 71 (1) match(0x6abde, 1, 6) 1, 6 == Please correct me if I am wrong, I thought that for cache update it should update only one record. So why so many updates are been made. Please advice. Thanks a lot Ashish -Original Message- From: mark_andr...@isc.org [mailto:mark_andr...@isc.org] Sent: Tuesday, February 03, 2009 11:32 AM To: Ashish Cc: niall.orei...@ucd.ie; bind-users@lists.isc.org Subject: Re: Caching-only Name server does Zone Updates In message 009201c985c0$aff05cb0$f9281...@wipro74039c7ca, Ashish writes: Hello All, Thank you for your replies. Our configuration file is fairly simple (I have changed the domain name for security). You care about security yet you run BIND 4? domain example.group.net cache ./etc/dnscache We use BIND 4. Actually our DNS was doing lot of CPU utilization and when we started it in Debug mode we found that there was a reverse lookup for some IP address which was in the dnscache file. (dnscache is the root hint file) This started zone updates, as we can observe in the debug file which calls function db_update() Here is the debug file content (I have modified the IP address for security reasons. Here 21.x.x.x is one of the entries in dnscache file. I mean that there was a network address starting with 21 in our dnscache file) dgram from 1.2.3.4, 2 () ns_req() req: nlookup(5.6.7.21.in-addr.arpa) id 111 type=11 req: found '5.6.7.21.in-addr.arpa' as '21.in-addr.arpa' (cname=0) findns: np 0x6b41e findns: 2 NS's added for '21' ns_forw() qnew(x45gte8) nslookup(nsp=x2433d,qp=xfdgfv4) nslookup: NS server01.example.grp.net c1 t2 (x0) nslookup: 1 ns addrs nslookup: NS cerver01.example.grp.net c1 t2 (x0) nslookup: 2 ns addrs nslookup: 2 ns addrs total retrytime: nstime 0ms. schedretry(0x1dfd8, 4sec) Dgram from 21.x.x.x Ns_req() Qfindid(12345) USER response nsid= id Respose from upexpected source 21.x.x.x Stime z/z now yy/yy rtt x NS #2 addr 21.x.x.x used rtt y NS #1 21.x.x.x rtt now z Resp: ancount 0, aucount 1, arcount 0 Doupdate(zone 0, savens x, flags y) Doupdate: dname 21.in-addr.arpa type 6 class 1 ttl 600 Db_update(21.in-addr.arpa, 0x12345, 0x56789, 087, 0x76543) This is strange, there was NSLOOKUP for some IP 5.6.7.21 which caused zone updates and we do not have any zone specified in our configuration file. zone 0 is the cache. The cache was updated. Mark Kindly advice Thanks Ashish -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
reg - BIND 9.3.0 - CVE-2009-0025
Hi Folks, This is regarding the recent security threat CVE-2009-0025. We are using DNS 9.3.0 and unfortunately, we cannot upgrade (management issues) to 9.3.6 (As suggested in ISC website) ISC's website suggests to Upgrade OpenSSL to at least OpenSSL 0.9.8j and then to upgrade to 9.3.6-P1. Could you please advice how can I upgrade OpenSSL? Since we could not upgrade DNS is there any other alternative for us. Could we apply the same patch of 9.3.6-P1 on 9.3.0? Will it help resolving this issue? Do I need to change code somewhere? Kindly suggest what exactly I could do and what options I have to resolve this issue. Thank you in advance for all your help. Ashish Rao Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
