Re: Hotmail, CNAME lookup failure, zone transfer...WTF?
On Thu, Jul 05, 2001 at 05:25:04PM +0200, Marek Gutkowski wrote: > Mail server really tries to connect to the DNS with tcp dport 53. It does. > It does. I'm sure. Whenever a dns response exceeds the magic XXX byte size (forgot the exact number) the udp query is dropped and retried over tcp, that's what you are seeing. Easy to guess that this slows down things and is totally bogus as there is no real reason for a dns response to be bigger than these X bytes. the big-dns patch enables qmail to use these oversized dns packtes, but hotmail's setup is stupid. -- * Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de * * Roedingsmarkt 14, 20459 Hamburg, Germany * Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Hotmail, CNAME lookup failure, zone transfer...WTF?
James Stevens <[EMAIL PROTECTED]> wrote: > > > That wasn't my message.. I was meerly replying to a message and asking a > > question Charles .. ;) I apologize to the list for any confusion; I mis-attributed statements to James while trying to clean up and prune the quoting in the message. Charles -- --- Charles Cazabon<[EMAIL PROTECTED]> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ ---
Re: Hotmail, CNAME lookup failure, zone transfer...WTF?
grrr hate it when I forget to reply to all... --JT - Original Message - From: "James Stevens" <[EMAIL PROTECTED]> To: "Charles Cazabon" <[EMAIL PROTECTED]> Sent: Thursday, July 05, 2001 10:38 AM Subject: Re: Hotmail, CNAME lookup failure, zone transfer...WTF? > That wasn't my message.. I was meerly replying to a message and asking a > question Charles .. ;) > > --JT > Network Administrator > http://www.webcommanders.com > > - Original Message - > From: "Charles Cazabon" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, July 05, 2001 10:15 AM > Subject: Re: Hotmail, CNAME lookup failure, zone transfer...WTF? > > > > James Stevens <[EMAIL PROTECTED]> wrote: > > > > > > > > It doesn't. snort is lying -- don't worry, it lies about a lot of > > > > > > other things, too. Take everything snort says with a grain of > salt. > > > > > > > > > Snort is just a tool, and my previous post was about qmail, not > snort :) > > > > > Snort is not lying. You think it took the packet dump out of the > blue > > > > > sky? I also ran tcpdump and it says the same. Is tcpdump also > lying? > > > > > > > > No. There's no zone transfer happening. The worst case is Hotmail > went > > > > over the 512-byte UDP DNS response limit, and the resolver is > therefore > > > > trying to do a TCP query instead. This is not a zone transfer, but > snort > > > > reports it as such. > > > > > No, I show them well under the 512 limit.. Even then if the > 'bigtodo-dns' I > > > believe it's called is installed then what does it matter??? > > > > "bigdns" is the patch you're talking about. It matters in certain > > circumstances. Perhaps your local dns resolver is broken, or it forwards > to > > another broken resolver. Perhaps Hotmail's load-balanced and distributed > DNS > > is giving slightly different answers there than here. > > > > Regardless, you were very rude above. What we're telling you is the > truth; > > please accept it, don't abuse those supplying the answers. > > > > > I am correct right? > > > > Sadly, no. > > > > Charles > > -- > > --- > > Charles Cazabon<[EMAIL PROTECTED]> > > GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ > > --- > > >
Re: Hotmail, CNAME lookup failure, zone transfer...WTF?
- Original Message - From: "Greg White" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 05, 2001 6:06 PM Subject: Re: Hotmail, CNAME lookup failure, zone transfer...WTF? > Snort is lying. tcpdump is being misunderstood* by someone who doesn't > understand the DNS protocol -- and who is being rude to someone who is trying > to help as a result. It was not my intention to be rude. If I were - I am sorry. > I'm sure it does too. Connections on port 53/TCP _do not_ have to be > zone transfer requests. RTFM, RFC 1035. Sounds like your qmail might > require the big-dns patch.** You should be able to find it on the qmail > home page. This is a big lesson for me. You are 100% right. I thought DNS queries always go as UDP packets :) > > ** Odd, though, as my queries for hotmail MX records show 504 bytes, > inside the limit for UDPThey seem to have intentionally stayed > inside this limit, on purpose. Could we see the results of (both or > either): > > dig mx hotmail.com @ns1.hotmail.com > dnsq mx hotmail.com ns1.hotmail.com This is a different story. Both dig and dnsq show 504 bytes. I attach a full output. Thanks, Marek ; <<>> DiG 8.3 <<>> mx hotmail.com @ns1.hotmail.com ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd; QUERY: 1, ANSWER: 12, AUTHORITY: 5, ADDITIONAL: 8 ;; QUERY SECTION: ;; hotmail.com, type = MX, class = IN ;; ANSWER SECTION: hotmail.com.1H IN MX10 mc3.law13.hotmail.com. hotmail.com.1H IN MX10 mc4.law13.hotmail.com. hotmail.com.1H IN MX10 mc5.law13.hotmail.com. hotmail.com.1H IN MX10 mc6.law13.hotmail.com. hotmail.com.1H IN MX10 mc4.law5.hotmail.com. hotmail.com.1H IN MX10 mc5.law5.hotmail.com. hotmail.com.1H IN MX10 mc6.law5.hotmail.com. hotmail.com.1H IN MX10 mc7.law5.hotmail.com. hotmail.com.1H IN MX10 mc1.law5.hotmail.com. hotmail.com.1H IN MX10 mc2.law5.hotmail.com. hotmail.com.1H IN MX10 mc1.law13.hotmail.com. hotmail.com.1H IN MX10 mc2.law13.hotmail.com. ;; AUTHORITY SECTION: hotmail.com.1H IN NSns1.hotmail.com. hotmail.com.1H IN NSns2.hotmail.com. hotmail.com.1H IN NSns3.hotmail.com. hotmail.com.1H IN NSns4.hotmail.com. hotmail.com.1H IN NSns1.jsnet.com. ;; ADDITIONAL SECTION: mc3.law13.hotmail.com. 6m40s IN A 64.4.49.135 mc4.law13.hotmail.com. 6m40s IN A 64.4.49.199 mc5.law13.hotmail.com. 6m40s IN A 64.4.50.7 mc6.law13.hotmail.com. 6m40s IN A 64.4.50.71 mc4.law5.hotmail.com. 6m40s IN A 64.4.56.135 mc5.law5.hotmail.com. 6m40s IN A 64.4.56.199 mc6.law5.hotmail.com. 6m40s IN A 64.4.55.7 mc7.law5.hotmail.com. 6m40s IN A 64.4.42.7 ;; Total query time: 822 msec ;; FROM: blackhole to SERVER: ns1.hotmail.com 216.200.206.140 ;; WHEN: Thu Jul 5 18:50:28 2001 ;; MSG SIZE sent: 29 rcvd: 504 15 hotmail.com: 504 bytes, 1+12+5+8 records, response, authoritative, noerror query: 15 hotmail.com answer: hotmail.com 3600 MX 10 mc3.law13.hotmail.com answer: hotmail.com 3600 MX 10 mc4.law13.hotmail.com answer: hotmail.com 3600 MX 10 mc5.law13.hotmail.com answer: hotmail.com 3600 MX 10 mc6.law13.hotmail.com answer: hotmail.com 3600 MX 10 mc4.law5.hotmail.com answer: hotmail.com 3600 MX 10 mc5.law5.hotmail.com answer: hotmail.com 3600 MX 10 mc6.law5.hotmail.com answer: hotmail.com 3600 MX 10 mc7.law5.hotmail.com answer: hotmail.com 3600 MX 10 mc1.law5.hotmail.com answer: hotmail.com 3600 MX 10 mc2.law5.hotmail.com answer: hotmail.com 3600 MX 10 mc1.law13.hotmail.com answer: hotmail.com 3600 MX 10 mc2.law13.hotmail.com authority: hotmail.com 3600 NS ns1.hotmail.com authority: hotmail.com 3600 NS ns2.hotmail.com authority: hotmail.com 3600 NS ns3.hotmail.com authority: hotmail.com 3600 NS ns4.hotmail.com authority: hotmail.com 3600 NS ns1.jsnet.com additional: mc3.law13.hotmail.com 400 A 64.4.49.135 additional: mc4.law13.hotmail.com 400 A 64.4.49.199 additional: mc5.law13.hotmail.com 400 A 64.4.50.7 additional: mc6.law13.hotmail.com 400 A 64.4.50.71 additional: mc4.law5.hotmail.com 400 A 64.4.56.135 additional: mc5.law5.hotmail.com 400 A 64.4.56.199 additional: mc6.law5.hotmail.com 400 A 64.4.55.7 additional: mc7.law5.hotmail.com 400 A 64.4.42.7
Re: Hotmail, CNAME lookup failure, zone transfer...WTF?
James Stevens <[EMAIL PROTECTED]> wrote: > > > > It doesn't. snort is lying -- don't worry, it lies about a lot of > > > > other things, too. Take everything snort says with a grain of salt. > > > > > Snort is just a tool, and my previous post was about qmail, not snort :) > > > Snort is not lying. You think it took the packet dump out of the blue > > > sky? I also ran tcpdump and it says the same. Is tcpdump also lying? > > > > No. There's no zone transfer happening. The worst case is Hotmail went > > over the 512-byte UDP DNS response limit, and the resolver is therefore > > trying to do a TCP query instead. This is not a zone transfer, but snort > > reports it as such. > No, I show them well under the 512 limit.. Even then if the 'bigtodo-dns' I > believe it's called is installed then what does it matter??? "bigdns" is the patch you're talking about. It matters in certain circumstances. Perhaps your local dns resolver is broken, or it forwards to another broken resolver. Perhaps Hotmail's load-balanced and distributed DNS is giving slightly different answers there than here. Regardless, you were very rude above. What we're telling you is the truth; please accept it, don't abuse those supplying the answers. > I am correct right? Sadly, no. Charles -- --- Charles Cazabon<[EMAIL PROTECTED]> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ ---
Re: Hotmail, CNAME lookup failure, zone transfer...WTF?
No, I show them well under the 512 limit.. Even then if the 'bigtodo-dns' I believe it's called is installed then what does it matter??? I am correct right? --JT Network Administrator http://www.webcommanders.com - Original Message - From: "Charles Cazabon" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 05, 2001 9:19 AM Subject: Re: Hotmail, CNAME lookup failure, zone transfer...WTF? > Marek Gutkowski <[EMAIL PROTECTED]> wrote: > > > > > It doesn't. snort is lying -- don't worry, it lies about a lot of other > > > things, too. Take everything snort says with a grain of salt. > > > First - thanks for a quick reply. > > > > Snort is just a tool, and my previous post was about qmail, not snort :) > > Snort is not lying. You think it took the packet dump out of the blue sky? > > I also ran tcpdump and it says the same. Is tcpdump also lying? > > No. There's no zone transfer happening. The worst case is Hotmail went over > the 512-byte UDP DNS response limit, and the resolver is therefore trying to > do a TCP query instead. This is not a zone transfer, but snort reports it as > such. > > > Mail server really tries to connect to the DNS with tcp dport 53. It does. > > It does. I'm sure. > > Hotmail's probably over the 512 byte limit, then. That doesn't make it a zone > transfer. > > Charles > -- > --- > Charles Cazabon<[EMAIL PROTECTED]> > GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ > --- >
Re: Hotmail, CNAME lookup failure, zone transfer...WTF?
Marek Gutkowski <[EMAIL PROTECTED]> wrote: > > > It doesn't. snort is lying -- don't worry, it lies about a lot of other > > things, too. Take everything snort says with a grain of salt. > First - thanks for a quick reply. > > Snort is just a tool, and my previous post was about qmail, not snort :) > Snort is not lying. You think it took the packet dump out of the blue sky? > I also ran tcpdump and it says the same. Is tcpdump also lying? No. There's no zone transfer happening. The worst case is Hotmail went over the 512-byte UDP DNS response limit, and the resolver is therefore trying to do a TCP query instead. This is not a zone transfer, but snort reports it as such. > Mail server really tries to connect to the DNS with tcp dport 53. It does. > It does. I'm sure. Hotmail's probably over the 512 byte limit, then. That doesn't make it a zone transfer. Charles -- --- Charles Cazabon<[EMAIL PROTECTED]> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ ---
Re: Hotmail, CNAME lookup failure, zone transfer...WTF?
On Thu, Jul 05, 2001 at 05:25:04PM +0200, Marek Gutkowski wrote: > > - Original Message - > From: "Charles Cazabon" <[EMAIL PROTECTED]> > > > > Perfectly normal behaviour, if Hotmail's DNS is broken, or your resolver > is > > broken. > > I agree. Hotmail's DNS is broken. That's not the point. > > > It doesn't. snort is lying -- don't worry, it lies about a lot of other > > things, too. Take everything snort says with a grain of salt. Please do > not > > followup with any further snort discussion; it's offtopic for this list. > > > > First - thanks for a quick reply. > > Snort is just a tool, and my previous post was about qmail, not snort :) > Snort is not lying. You think it took the packet dump out of the blue sky? > I also ran tcpdump and it says the same. Is tcpdump also lying? Snort is lying. tcpdump is being misunderstood* by someone who doesn't understand the DNS protocol -- and who is being rude to someone who is trying to help as a result. * Unless tcpdump is actually saying 'Zone transfer', or showing you AXFR requests, or something like that. In which case it's lying too. ;) qmail _does not do AXFR_, nor can it cause an AXFR. > > Mail server really tries to connect to the DNS with tcp dport 53. It does. > It does. I'm sure. I'm sure it does too. Connections on port 53/TCP _do not_ have to be zone transfer requests. RTFM, RFC 1035. Sounds like your qmail might require the big-dns patch.** You should be able to find it on the qmail home page. ** Odd, though, as my queries for hotmail MX records show 504 bytes, inside the limit for UDPThey seem to have intentionally stayed inside this limit, on purpose. Could we see the results of (both or either): dig mx hotmail.com @ns1.hotmail.com dnsq mx hotmail.com ns1.hotmail.com Specifically, I'd like to see the byte count. -- Greg White
Re: Hotmail, CNAME lookup failure, zone transfer...WTF?
- Original Message - From: "Charles Cazabon" <[EMAIL PROTECTED]> > Perfectly normal behaviour, if Hotmail's DNS is broken, or your resolver is > broken. I agree. Hotmail's DNS is broken. That's not the point. > It doesn't. snort is lying -- don't worry, it lies about a lot of other > things, too. Take everything snort says with a grain of salt. Please do not > followup with any further snort discussion; it's offtopic for this list. > First - thanks for a quick reply. Snort is just a tool, and my previous post was about qmail, not snort :) Snort is not lying. You think it took the packet dump out of the blue sky? I also ran tcpdump and it says the same. Is tcpdump also lying? Mail server really tries to connect to the DNS with tcp dport 53. It does. It does. I'm sure. Any ideas? Marek
Re: Hotmail, CNAME lookup failure, zone transfer...WTF?
Marek Gutkowski <[EMAIL PROTECTED]> wrote: > > There is a mail in my queue, trying to get out to hotmail.com. This is what > I find in my logs, every time qmail tries: > > @40003b4478201cef303c starting delivery 3170: msg 277314 to remote > [EMAIL PROTECTED] > @40003b44783418edd024 delivery 3170: deferral: > CNAME_lookup_failed_temporarily._(#4.4.3)/ Perfectly normal behaviour, if Hotmail's DNS is broken, or your resolver is broken. > Snort log: > > sensei snort: IDS212 - MISC - DNS Zone Transfer: xxx.xxx.xxx.xxx:3211 -> > yyy.yyy.yyy.yyy:53 [...] > Why does qmail try to download the zone file for hotmail.com from my DNS > server? It doesn't. snort is lying -- don't worry, it lies about a lot of other things, too. Take everything snort says with a grain of salt. Please do not followup with any further snort discussion; it's offtopic for this list. Charles -- --- Charles Cazabon<[EMAIL PROTECTED]> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ ---
Hotmail, CNAME lookup failure, zone transfer...WTF?
Hi, There is a mail in my queue, trying to get out to hotmail.com. This is what I find in my logs, every time qmail tries: @40003b4478201cef303c starting delivery 3170: msg 277314 to remote [EMAIL PROTECTED] @40003b44783418edd024 delivery 3170: deferral: CNAME_lookup_failed_temporarily._(#4.4.3)/ Snort log: sensei snort: IDS212 - MISC - DNS Zone Transfer: xxx.xxx.xxx.xxx:3211 -> yyy.yyy.yyy.yyy:53 Dump of the offending packet: xxx.xxx.xxx.xxx:3211 -> yyy.yyy.yyy.yyy:53 TCP TTL:64 TOS:0x0 ID:16519 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0xB3A4D61B Ack: 0x208246C Win: 0x7D78 TcpLen: 20 0x: 00 E0 18 90 75 23 00 06 29 EE 61 2E 08 00 45 00 u#..).a...E. 0x0010: 00 47 40 87 40 00 40 06 B6 9B C3 74 DE 53 C3 74 .G@.@.@t.S.t 0x0020: DE 51 0C 8B 00 35 B3 A4 D6 1B 02 08 24 6C 50 18 .Q...5..$lP. 0x0030: 7D 78 6E 93 00 00 00 1D 01 85 01 00 00 01 00 00 }xn. 0x0040: 00 00 00 00 07 68 6F 74 6D 61 69 6C 03 63 6F 6D .hotmail.com 0x0050: 00 00 FF 00 01 . xxx.xxx.xxx.xxx is the mail server, qmail-1.03, Linux. yyy.yyy.yyy.yyy is the DNS server, NT. Why does qmail try to download the zone file for hotmail.com from my DNS server? I don't get it :( Thanks, Marek Gutkowski
