-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There was a weird problem posted to this list by Tim Langdell on May 24, 2001 (see http://www.mcabee.org/lists/nanog/msg01330.html). I am experiencing the same problem, though I am certain it is not due to any registry hacks/trojans/virii on the Windows clients, as Tim's message thread suggested. The problem is that my Win2K DNS server is resolving non-existent domains under com, net or org, to the bigred.com website at 64.177.155.101, instead of giving NXDOMAIN as it should. Let me show you what I have found in my poisoned cache. I did all these queries from a Unix host that resolves through a different nameserver that has not been poisoned. My Win2K DNS server, which services Windows clients on our LAN, is the one I am querying at 172.25.1.104. Check it out: ; <<>> DiG 8.1 <<>> @a.gtld-servers.net nosuchdomainexists.com. any ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; nosuchdomainexists.com, type = ANY, class = IN ;; AUTHORITY SECTION: com. 1D IN SOA A.GTLD-SERVERS.NET. hostmaster.nsiregistry.NET. ( 2001071201 ; serial 30M ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum ;; Total query time: 96 msec ;; FROM: upolu to SERVER: a.gtld-servers.net 192.5.6.30 ;; WHEN: Fri Jul 13 11:58:03 2001 ;; MSG SIZE sent: 40 rcvd: 117 OK, so such domain exists in the gTLD servers. So far so good. But my Win2K DNS says otherwise: ; <<>> DiG 8.1 <<>> @172.25.1.104 nosuchdomainexists.com. ns ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2 ;; QUERY SECTION: ;; nosuchdomainexists.com, type = NS, class = IN ;; ANSWER SECTION: nosuchdomainexists.com. 4m51s IN NS ns.above.net. nosuchdomainexists.com. 4m51s IN NS ns.eli.net. ;; ADDITIONAL SECTION: ns.above.net. 22h35m53s IN A 207.126.96.162 ns.eli.net. 23h54m5s IN A 209.63.0.2 ;; Total query time: 4 msec ;; FROM: upolu to SERVER: 172.25.1.104 ;; WHEN: Fri Jul 13 11:58:24 2001 ;; MSG SIZE sent: 40 rcvd: 119 Fascinating. Both of these nameservers say NXDOMAIN for nosuchdomainexists.com, same as the gTLD servers. Now check this out. I ask my cache for the A record of the non-existent domain: ; <<>> DiG 8.1 <<>> @172.25.1.104 nosuchdomainexists.com. a ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION: ;; nosuchdomainexists.com, type = A, class = IN ;; ANSWER SECTION: nosuchdomainexists.com. 59m40s IN A 64.177.155.101 ;; Total query time: 3 msec ;; FROM: upolu to SERVER: 172.25.1.104 ;; WHEN: Fri Jul 13 11:58:47 2001 ;; MSG SIZE sent: 40 rcvd: 56 Once I have made this query, the Win2K cache has some different glue for it: ; <<>> DiG 8.1 <<>> @172.25.1.104 nosuchdomainexists.com. ns ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUERY SECTION: ;; nosuchdomainexists.com, type = NS, class = IN ;; ANSWER SECTION: nosuchdomainexists.com. 59m27s IN NS dnsc.nsq.com. ;; ADDITIONAL SECTION: dnsc.nsq.com. 59m38s IN A 66.34.52.233 ;; Total query time: 13 msec ;; FROM: upolu to SERVER: 172.25.1.104 ;; WHEN: Fri Jul 13 11:59:01 2001 ;; MSG SIZE sent: 40 rcvd: 79 Iiiiinteresting. But what else is f'ed up here? I ask my Win2K cache for the address of a.gtld-servers.net and get back 66.34.52.224. In fact, my cache says all the gTLD servers have this address, except for z.gtld-servers.net (yes, "z") for which it gives the address 198.41.3.40. Non-existent gtld-servers.net get the address of the bigred.com website from my Win2K cache. Thing is, the nameserver at 66.34.52.224 is lame for names under gtld-servers.net, and refers me back to the correct names and addresses for the root zone. It is also lame for the nosuchdomainexist.com name that I was testing with. What gives???? How did my cache get poisoned, and how can the poisoning be continuing to affect resolution this way, when none of the poisoned glue appears to work at all?? I'm totally stumped. - --- ALL YOUR BASE ARE BELONG TO US SOMEBODY SET UP US THE BOMB -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO09tr0ksS4VV8BvHEQK7owCgxXlaFfUUGpOdemmgBhXk9IH180cAn3oc OjC8lHvY0wGs7J7FciTyZXmB =dcfg -----END PGP SIGNATURE-----