Re: Is my BIND Server's Cache Poisioned ?

Hi,

I met a strange problem with my cache server, which runs BIND9.3.1.

In past days, our customers complaint that three domain names (www.hangzhou.gov.cn, www.zpepc.com.cn) could not be resolved frequently. I checked on the cache server and found, when the cache server could not resolve www.hangzhou.gov.cn (www.zpepc.com.cn) I can solve the problem by running "rndc flush".

The debugging output of named process has the following output when it could not resolve www.hangzhou.gov.cn.

Do that mean my cache server is poisioned for these two domain name?

No. These are just a mis-configured zones. hangzhou.gov.cn only has glue records for the nameservers. zpepc.com.cn has CNAMEs for the nameservers. Both of these misconfigurations are visible to nameservers that are IPv6 aware. Nameservers that are not IPv6 aware are not likely to make the queries that make these misconfigurations visible. Flushing the cache temporarily hides the misconfiguration. Mark % dig dns2.hangzhou.gov.cn @sld-ns1.cnnic.net.cn ; <<>> DiG 8.3 <<>> dns2.hangzhou.gov.cn @sld-ns1.cnnic.net.cn ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 110 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; QUERY SECTION: ;; dns2.hangzhou.gov.cn, type = A, class = IN ;; AUTHORITY SECTION: hangzhou.gov.cn. 12H IN NS dns.hangzhou.gov.cn. hangzhou.gov.cn. 12H IN NS dns2.hangzhou.gov.cn. ;; ADDITIONAL SECTION: dns.hangzhou.gov.cn. 12H IN A 218.108.246.45 dns2.hangzhou.gov.cn. 12H IN A 60.191.40.77 ;; Total query time: 338 msec ;; FROM: drugs.dv.isc.org to SERVER: 159.226.1.3 ;; WHEN: Thu Jun 30 13:30:32 2005 ;; MSG SIZE sent: 38 rcvd: 102 % dig dns2.hangzhou.gov.cn @60.191.40.77 ; <<>> DiG 8.3 <<>> dns2.hangzhou.gov.cn @60.191.40.77 ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38698 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; dns2.hangzhou.gov.cn, type = A, class = IN ;; AUTHORITY SECTION: hangzhou.gov.cn. 1H IN SOA dns.hangzhou.gov.cn. mail.hz.gov.cn. ( 2005062401 ; serial 1H ; refresh 30M ; retry 1w3d ; expiry 1H ) ; minimum ;; Total query time: 6365 msec ;; FROM: drugs.dv.isc.org to SERVER: 60.191.40.77 ;; WHEN: Thu Jun 30 13:30:52 2005 ;; MSG SIZE sent: 38 rcvd: 86 % % dig ns1.zpepc.com.cn @202.107.201.1 ; <<>> DiG 8.3 <<>> ns1.zpepc.com.cn @202.107.201.1 ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23703 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; ns1.zpepc.com.cn, type = A, class = IN ;; ANSWER SECTION: ns1.zpepc.com.cn. 1D IN CNAME 202-107-201-1.zpepc.com.cn. 202-107-201-1.zpepc.com.cn. 1D IN A 202.107.201.1 ;; AUTHORITY SECTION: zpepc.com.cn. 1D IN NS ns1.zpepc.com.cn. ;; Total query time: 5593 msec ;; FROM: drugs.dv.isc.org to SERVER: 202.107.201.1 ;; WHEN: Thu Jun 30 13:35:12 2005 ;; MSG SIZE sent: 34 rcvd: 92 %

===============================

24-Jun-2005 19:02:00.015 client 202.101.172.148#32769: UDP request 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: request is not signed 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: recursion available 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: query 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: query (cache) 'www.hangzhou.gov.cn/A/I N' approved 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: replace 24-Jun-2005 19:02:00.026 clientmgr @2addf8: createclients 24-Jun-2005 19:02:00.026 clientmgr @2addf8: create new 24-Jun-2005 19:02:00.026 client @3c19f28: create 24-Jun-2005 19:02:00.026 createfetch: www.hangzhou.gov.cn A 24-Jun-2005 19:02:00.026 client @3c19f28: udprecv 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): create 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): join 24-Jun-2005 19:02:00.026 fetch 2739250 (fctx 37ad318(www.hangzhou.gov.cn/A)): created 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): start 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): try 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): getaddresses 24-Jun-2005 19:02:00.027 fctx 37ad318(www.hangzhou.gov.cn/A'): query 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): send 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): sent 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): senddone 24-Jun-2005 19:02:00.049 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): response 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): noanswer_response 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cache_message 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelquery 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): try 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): getaddresses 24-Jun-2005 19:02:00.050 fctx 37ad318(www.hangzhou.gov.cn/A'): query 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): send 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): sent 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): senddone 36 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): noanswer_response 37 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cache_message 38 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelquery 39 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 40 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): try 41 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 42 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): getaddresses 43 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): query 44 24-Jun-2005 19:02:00.052 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): send 45 24-Jun-2005 19:02:00.053 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): sent 46 24-Jun-2005 19:02:00.053 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): senddone 47 24-Jun-2005 19:02:00.054 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): response 48 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): answer_response 49 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): cache_message 50 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): clone_results 51 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelquery 52 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): done 53 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): stopeverything 54 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 55 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): sendevents 56 24-Jun-2005 19:02:00.054 fetch 2739250 (fctx 37ad318(www.hangzhou.gov.cn/A)): destroyfetch 57 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): shutdown

===============================

regards

Joe

__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 1GB free storage! http://sg.info.mail.yahoo.com

-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org