nanog mailing list archives

Re: Is my BIND Server's Cache Poisioned ?

From: Mark Andrews <Mark_Andrews () isc org>
Date: Thu, 30 Jun 2005 13:43:54 +1000

Hi,

I met a strange problem with my cache server, which
runs BIND9.3.1.

In past days, our customers complaint that three
domain names (www.hangzhou.gov.cn, www.zpepc.com.cn)
could not be resolved frequently. I checked on the
cache server and found, when the cache server could
not resolve www.hangzhou.gov.cn (www.zpepc.com.cn) I
can solve the problem by running "rndc flush". 

The debugging output of named process has the
following output when it could not resolve
www.hangzhou.gov.cn.

Do that mean my cache server is poisioned for these
two domain name?


        No.  These are just a mis-configured zones.

        hangzhou.gov.cn only has glue records for the nameservers.
        zpepc.com.cn has CNAMEs for the nameservers.

        Both of these misconfigurations are visible to nameservers
        that are IPv6 aware.  Nameservers that are not IPv6 aware
        are not likely to make the queries that make these
        misconfigurations visible.

        Flushing the cache temporarily hides the misconfiguration.

        Mark

% dig dns2.hangzhou.gov.cn @sld-ns1.cnnic.net.cn

; <<>> DiG 8.3 <<>> dns2.hangzhou.gov.cn @sld-ns1.cnnic.net.cn 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 110
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;;      dns2.hangzhou.gov.cn, type = A, class = IN

;; AUTHORITY SECTION:
hangzhou.gov.cn.        12H IN NS       dns.hangzhou.gov.cn.
hangzhou.gov.cn.        12H IN NS       dns2.hangzhou.gov.cn.

;; ADDITIONAL SECTION:
dns.hangzhou.gov.cn.    12H IN A        218.108.246.45
dns2.hangzhou.gov.cn.   12H IN A        60.191.40.77

;; Total query time: 338 msec
;; FROM: drugs.dv.isc.org to SERVER: 159.226.1.3
;; WHEN: Thu Jun 30 13:30:32 2005
;; MSG SIZE  sent: 38  rcvd: 102

% dig dns2.hangzhou.gov.cn @60.191.40.77

; <<>> DiG 8.3 <<>> dns2.hangzhou.gov.cn @60.191.40.77 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38698
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;      dns2.hangzhou.gov.cn, type = A, class = IN

;; AUTHORITY SECTION:
hangzhou.gov.cn.        1H IN SOA       dns.hangzhou.gov.cn. mail.hz.gov.cn. (
                                        2005062401      ; serial
                                        1H              ; refresh
                                        30M             ; retry
                                        1w3d            ; expiry
                                        1H )            ; minimum


;; Total query time: 6365 msec
;; FROM: drugs.dv.isc.org to SERVER: 60.191.40.77
;; WHEN: Thu Jun 30 13:30:52 2005
;; MSG SIZE  sent: 38  rcvd: 86

% 


% dig ns1.zpepc.com.cn @202.107.201.1

; <<>> DiG 8.3 <<>> ns1.zpepc.com.cn @202.107.201.1 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23703
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;      ns1.zpepc.com.cn, type = A, class = IN

;; ANSWER SECTION:
ns1.zpepc.com.cn.       1D IN CNAME     202-107-201-1.zpepc.com.cn.
202-107-201-1.zpepc.com.cn.  1D IN A  202.107.201.1

;; AUTHORITY SECTION:
zpepc.com.cn.           1D IN NS        ns1.zpepc.com.cn.

;; Total query time: 5593 msec
;; FROM: drugs.dv.isc.org to SERVER: 202.107.201.1
;; WHEN: Thu Jun 30 13:35:12 2005
;; MSG SIZE  sent: 34  rcvd: 92

%


===============================

24-Jun-2005 19:02:00.015 client 202.101.172.148#32769:
UDP request
24-Jun-2005 19:02:00.026 client 202.101.172.148#32769:
view internal-in: request is not signed
24-Jun-2005 19:02:00.026 client 202.101.172.148#32769:
view internal-in: recursion available
24-Jun-2005 19:02:00.026 client 202.101.172.148#32769:
view internal-in: query
24-Jun-2005 19:02:00.026 client 202.101.172.148#32769:
view internal-in: query (cache)
'www.hangzhou.gov.cn/A/I
N' approved
24-Jun-2005 19:02:00.026 client 202.101.172.148#32769:
view internal-in: replace
24-Jun-2005 19:02:00.026 clientmgr @2addf8:
createclients
24-Jun-2005 19:02:00.026 clientmgr @2addf8: create new
24-Jun-2005 19:02:00.026 client @3c19f28: create
24-Jun-2005 19:02:00.026 createfetch:
www.hangzhou.gov.cn A
24-Jun-2005 19:02:00.026 client @3c19f28: udprecv
24-Jun-2005 19:02:00.026 fctx
37ad318(www.hangzhou.gov.cn/A'): create
24-Jun-2005 19:02:00.026 fctx
37ad318(www.hangzhou.gov.cn/A'): join
24-Jun-2005 19:02:00.026 fetch 2739250 (fctx
37ad318(www.hangzhou.gov.cn/A)): created
24-Jun-2005 19:02:00.026 fctx
37ad318(www.hangzhou.gov.cn/A'): start
24-Jun-2005 19:02:00.026 fctx
37ad318(www.hangzhou.gov.cn/A'): try
24-Jun-2005 19:02:00.026 fctx
37ad318(www.hangzhou.gov.cn/A'): cancelqueries
24-Jun-2005 19:02:00.026 fctx
37ad318(www.hangzhou.gov.cn/A'): getaddresses
24-Jun-2005 19:02:00.027 fctx
37ad318(www.hangzhou.gov.cn/A'): query
24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx
37ad318(www.hangzhou.gov.cn/A)): send
24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx
37ad318(www.hangzhou.gov.cn/A)): sent
24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx
37ad318(www.hangzhou.gov.cn/A)): senddone
24-Jun-2005 19:02:00.049 resquery 74b4870 (fctx
37ad318(www.hangzhou.gov.cn/A)): response
24-Jun-2005 19:02:00.049 fctx
37ad318(www.hangzhou.gov.cn/A'): noanswer_response
24-Jun-2005 19:02:00.049 fctx
37ad318(www.hangzhou.gov.cn/A'): cache_message
24-Jun-2005 19:02:00.049 fctx
37ad318(www.hangzhou.gov.cn/A'): cancelquery
24-Jun-2005 19:02:00.049 fctx
37ad318(www.hangzhou.gov.cn/A'): cancelqueries
24-Jun-2005 19:02:00.049 fctx
37ad318(www.hangzhou.gov.cn/A'): try
24-Jun-2005 19:02:00.049 fctx
37ad318(www.hangzhou.gov.cn/A'): cancelqueries
24-Jun-2005 19:02:00.049 fctx
37ad318(www.hangzhou.gov.cn/A'): getaddresses
24-Jun-2005 19:02:00.050 fctx
37ad318(www.hangzhou.gov.cn/A'): query
24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx
37ad318(www.hangzhou.gov.cn/A)): send
24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx
37ad318(www.hangzhou.gov.cn/A)): sent
24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx
37ad318(www.hangzhou.gov.cn/A)): senddone
36  24-Jun-2005 19:02:00.052 fctx
37ad318(www.hangzhou.gov.cn/A'): noanswer_response
    37  24-Jun-2005 19:02:00.052 fctx
37ad318(www.hangzhou.gov.cn/A'): cache_message
    38  24-Jun-2005 19:02:00.052 fctx
37ad318(www.hangzhou.gov.cn/A'): cancelquery
    39  24-Jun-2005 19:02:00.052 fctx
37ad318(www.hangzhou.gov.cn/A'): cancelqueries
    40  24-Jun-2005 19:02:00.052 fctx
37ad318(www.hangzhou.gov.cn/A'): try
    41  24-Jun-2005 19:02:00.052 fctx
37ad318(www.hangzhou.gov.cn/A'): cancelqueries
    42  24-Jun-2005 19:02:00.052 fctx
37ad318(www.hangzhou.gov.cn/A'): getaddresses
    43  24-Jun-2005 19:02:00.052 fctx
37ad318(www.hangzhou.gov.cn/A'): query
    44  24-Jun-2005 19:02:00.052 resquery 74b4870
(fctx 37ad318(www.hangzhou.gov.cn/A)): send
    45  24-Jun-2005 19:02:00.053 resquery 74b4870
(fctx 37ad318(www.hangzhou.gov.cn/A)): sent
    46  24-Jun-2005 19:02:00.053 resquery 74b4870
(fctx 37ad318(www.hangzhou.gov.cn/A)): senddone
    47  24-Jun-2005 19:02:00.054 resquery 74b4870
(fctx 37ad318(www.hangzhou.gov.cn/A)): response
    48  24-Jun-2005 19:02:00.054 fctx
37ad318(www.hangzhou.gov.cn/A'): answer_response
    49  24-Jun-2005 19:02:00.054 fctx
37ad318(www.hangzhou.gov.cn/A'): cache_message
    50  24-Jun-2005 19:02:00.054 fctx
37ad318(www.hangzhou.gov.cn/A'): clone_results
    51  24-Jun-2005 19:02:00.054 fctx
37ad318(www.hangzhou.gov.cn/A'): cancelquery
    52  24-Jun-2005 19:02:00.054 fctx
37ad318(www.hangzhou.gov.cn/A'): done
    53  24-Jun-2005 19:02:00.054 fctx
37ad318(www.hangzhou.gov.cn/A'): stopeverything
    54  24-Jun-2005 19:02:00.054 fctx
37ad318(www.hangzhou.gov.cn/A'): cancelqueries
    55  24-Jun-2005 19:02:00.054 fctx
37ad318(www.hangzhou.gov.cn/A'): sendevents
    56  24-Jun-2005 19:02:00.054 fetch 2739250 (fctx
37ad318(www.hangzhou.gov.cn/A)): destroyfetch
    57  24-Jun-2005 19:02:00.054 fctx
37ad318(www.hangzhou.gov.cn/A'): shutdown

=============================== 


regards

Joe



      
      
              
__________________________________ 
Do you Yahoo!? 
New and Improved Yahoo! Mail - 1GB free storage! 
http://sg.info.mail.yahoo.com

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews () isc org

Current thread:

Is my BIND Server's Cache Poisioned ? Joe Shen (Jun 29)
- Re: Is my BIND Server's Cache Poisioned ? Mark Andrews (Jun 29)
  - Re: Is my BIND Server's Cache Poisioned ? william(at)elan.net (Jun 29)
    - Re: Is my BIND Server's Cache Poisioned ? Mark Andrews (Jun 29)
    - Re: Is my BIND Server's Cache Poisioned ? Joe Shen (Jun 30)
    - Re: Is my BIND Server's Cache Poisioned ? Suresh Ramasubramanian (Jun 30)
- <Possible follow-ups>
- Re: Is my BIND Server's Cache Poisioned ? Fergie (Paul Ferguson) (Jun 30)