nxdomain rfc2308 type 2, but authority is incorrect
www.kissimmee.org Windows 2008 dns cannot resolve it. BIND can. Windows appears to believe the rfc2308 type 2 response, even though recursing the CNAME results in a different authority, ns, and A response, which I assuming is why BIND returns the answer. I must be missing a switch somewhere. Any pointers would be appreciated.
On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon <jmaimon@ttec.com> wrote:
www.kissimmee.org
Windows 2008 dns cannot resolve it.
BIND can.
Hi Joe, Does Windows 2008 like anything in the "hosting" TLD? I notice that the nameresolve.com servers returning the CNAME to kissimmee-fl.vts.hosting are also returning an SOA record for "hosting" in the authority section which looks very strange to me. Perhaps Windows is rejecting it as an invalid, possibly dangerous response packet? Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
On Wed, Aug 10, 2016 at 2:52 PM, William Herrin <bill@herrin.us> wrote:
On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon <jmaimon@ttec.com> wrote:
www.kissimmee.org
Windows 2008 dns cannot resolve it.
BIND can.
Hi Joe,
Does Windows 2008 like anything in the "hosting" TLD?
I notice that the nameresolve.com servers returning the CNAME to kissimmee-fl.vts.hosting are also returning an SOA record for "hosting" in the authority section which looks very strange to me. Perhaps Windows is rejecting it as an invalid, possibly dangerous response packet?
BTW, here's what I'm talking about: dig a www.kissimmee.org +trace +all ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> a www.kissimmee.org +trace +all ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2759 ;; flags: qr aa ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518400 IN NS a.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. ;; ADDITIONAL SECTION: a.root-servers.net. 3600000 IN A 198.41.0.4 a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30 b.root-servers.net. 3600000 IN A 192.228.79.201 b.root-servers.net. 3600000 IN AAAA 2001:500:84::b c.root-servers.net. 3600000 IN A 192.33.4.12 c.root-servers.net. 3600000 IN AAAA 2001:500:2::c d.root-servers.net. 3600000 IN A 199.7.91.13 d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d e.root-servers.net. 3600000 IN A 192.203.230.10 f.root-servers.net. 3600000 IN A 192.5.5.241 f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f g.root-servers.net. 3600000 IN A 192.112.36.4 h.root-servers.net. 3600000 IN A 198.97.190.53 ;; Query time: 12 msec ;; SERVER: 192.168.99.1#53(192.168.99.1) ;; WHEN: Wed Aug 10 14:54:00 2016 ;; MSG SIZE rcvd: 496 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53554 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 12 ;; QUESTION SECTION: ;www.kissimmee.org. IN A ;; AUTHORITY SECTION: org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. ;; ADDITIONAL SECTION: a0.org.afilias-nst.info. 172800 IN A 199.19.56.1 a2.org.afilias-nst.info. 172800 IN A 199.249.112.1 b0.org.afilias-nst.org. 172800 IN A 199.19.54.1 b2.org.afilias-nst.org. 172800 IN A 199.249.120.1 c0.org.afilias-nst.info. 172800 IN A 199.19.53.1 d0.org.afilias-nst.org. 172800 IN A 199.19.57.1 a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1 a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1 b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1 b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1 c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1 d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1 ;; Query time: 217 msec ;; SERVER: 192.58.128.30#53(192.58.128.30) ;; WHEN: Wed Aug 10 14:54:02 2016 ;; MSG SIZE rcvd: 437 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27382 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.kissimmee.org. IN A ;; AUTHORITY SECTION: kissimmee.org. 86400 IN NS ns4.nameresolve.com. kissimmee.org. 86400 IN NS ns3.nameresolve.com. kissimmee.org. 86400 IN NS ns1.nameresolve.com. kissimmee.org. 86400 IN NS ns2.nameresolve.com. ;; Query time: 105 msec ;; SERVER: 199.19.53.1#53(199.19.53.1) ;; WHEN: Wed Aug 10 14:54:03 2016 ;; MSG SIZE rcvd: 122 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14318 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.kissimmee.org. IN A ;; ANSWER SECTION: www.kissimmee.org. 3600 IN CNAME kissimmee-fl.vts.hosting. ;; AUTHORITY SECTION: hosting. 3600 IN SOA ns2.nshosts.com. info.webstrikesolutions.com.hosting. 1089178331 900 3600 604800 3600 ;; Query time: 19 msec ;; SERVER: 66.96.142.146#53(66.96.142.146) ;; WHEN: Wed Aug 10 14:54:03 2016 ;; MSG SIZE rcvd: 152
William Herrin wrote:
On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon <jmaimon@ttec.com> wrote:
www.kissimmee.org
Windows 2008 dns cannot resolve it.
BIND can.
Hi Joe,
Does Windows 2008 like anything in the "hosting" TLD?
I notice that the nameresolve.com servers returning the CNAME to kissimmee-fl.vts.hosting are also returning an SOA record for "hosting" in the authority section which looks very strange to me. Perhaps Windows is rejecting it as an invalid, possibly dangerous response packet?
Regards, Bill Herrin
I think that provided SOA record is a "local" or "alternate" version and its existence is why the nxdomain response is being sent to the windows dns server that accepts it at face value (but does not appear to store it in cache, so this is not precisely cache poisoning) Here is another example, unrelated to the new TLD's www.lomita.com Joe
On Wed, Aug 10, 2016 at 3:27 PM, Joe Maimon <jmaimon@ttec.com> wrote:
William Herrin wrote:
On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon <jmaimon@ttec.com> wrote:
www.kissimmee.org Windows 2008 dns cannot resolve it.
I notice that the nameresolve.com servers returning the CNAME to kissimmee-fl.vts.hosting are also returning an SOA record for "hosting" in the authority section which looks very strange to me. Perhaps Windows is rejecting it as an invalid, possibly dangerous response packet?
I think that provided SOA record is a "local" or "alternate" version and its existence is why the nxdomain response is being sent to the windows dns server that accepts it at face value (but does not appear to store it in cache, so this is not precisely cache poisoning)
Oh! I missed that. ns*.nameresolve.com, the authoratative name servers for kissimmee.org, are saying NXDOMAIN for www.kissimmee.org. Any idea what DNS server nameresolve.com uses? Because that's... wow. -Bill -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
William Herrin <bill@herrin.us> wrote:
Oh! I missed that. ns*.nameresolve.com, the authoratative name servers for kissimmee.org, are saying NXDOMAIN for www.kissimmee.org. Any idea what DNS server nameresolve.com uses? Because that's... wow.
Er, me too, headdesk. NXDOMAIN with an answer?! $ fpdns ns2.yourhostingaccount.com. fingerprint (ns2.yourhostingaccount.com., 65.254.254.155): Unlogic Eagle DNS 1.0 -- 1.0.1 [New Rules] Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ - I xn--zr8h punycode Humber, Thames, Dover: West or southwest 4 or 5, increasing 6 at times. Slight or moderate. Occasional rain at first. Good, occasionally poor at first.
In message <57AB8024.7010702@ttec.com>, Joe Maimon writes:
William Herrin wrote:
On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon <jmaimon@ttec.com> wrote:
www.kissimmee.org
Windows 2008 dns cannot resolve it.
BIND can.
Hi Joe,
Does Windows 2008 like anything in the "hosting" TLD?
I notice that the nameresolve.com servers returning the CNAME to kissimmee-fl.vts.hosting are also returning an SOA record for "hosting" in the authority section which looks very strange to me. Perhaps Windows is rejecting it as an invalid, possibly dangerous response packet?
Regards, Bill Herrin
I think that provided SOA record is a "local" or "alternate" version and its existence is why the nxdomain response is being sent to the windows dns server that accepts it at face value (but does not appear to store it in cache, so this is not precisely cache poisoning)
Nameresovle.com's servers are returning answers that can be seen as a cache poisioning attempt. They are NOT authorative for ".hosting" but have been configured as if they are. This is a big NO NO. You don't configure youself as authoritative for a zone that has not been delegated to you and in particular you don't configure yourself as authoritative for "." or a TLD. Windows 2008 is quite correct in rejecting this answer. Named would as well except for the number of DNS hosters that do this sort of garbage. Named just sees the CNAME and stops processing the message after that. Mark
Here is another example, unrelated to the new TLD's
www.lomita.com
Joe
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Mark Andrews wrote:
Nameresovle.com's servers are returning answers that can be seen as a cache poisioning attempt. They are NOT authorative for ".hosting" but have been configured as if they are. This is a big NO NO. You don't configure youself as authoritative for a zone that has not been delegated to you and in particular you don't configure yourself as authoritative for "." or a TLD.
Windows 2008 is quite correct in rejecting this answer. Named would as well except for the number of DNS hosters that do this sort of garbage. Named just sees the CNAME and stops processing the message after that.
Mark
Thanks for the replies Mark and Bill. I think its fair to say that most DNS servers have at one time or another hosted a zone they were not authoritative for according to the DNS tree, as simple as a customer leaving without notice, cruft, split view incorrectly configured, etc. In any event, windows is accepting the negative answer, BIND is rejecting it and going forward with resolving the CNAME, sucessfully. Joe
In message <57ABB456.5020003@ttec.com>, Joe Maimon writes:
Mark Andrews wrote:
Nameresovle.com's servers are returning answers that can be seen as a cache poisioning attempt. They are NOT authorative for ".hosting" but have been configured as if they are. This is a big NO NO. You don't configure youself as authoritative for a zone that has not been delegated to you and in particular you don't configure yourself as authoritative for "." or a TLD.
Windows 2008 is quite correct in rejecting this answer. Named would as well except for the number of DNS hosters that do this sort of garbage. Named just sees the CNAME and stops processing the message after that.
Mark
Thanks for the replies Mark and Bill.
I think its fair to say that most DNS servers have at one time or another hosted a zone they were not authoritative for according to the DNS tree, as simple as a customer leaving without notice, cruft, split view incorrectly configured, etc.
Having the odd leaf zone left over doesn't usually cause operational problems. You have to be very unlucky to be delegated a zone that has a CNAME that points into the left over leaf zone. In this case there is a fake TLD zone. This isn't a left over zone. This is a DNS hoster not understanding the DNS and the implications of their operational decisions. People forget nameservers return negative existance answers and that they need to be as valid as the positive existance answers.
In any event, windows is accepting the negative answer, BIND is rejecting it and going forward with resolving the CNAME, sucessfully.
Joe -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Joe Maimon <jmaimon@ttec.com> wrote:
www.kissimmee.org
Windows appears to believe the rfc2308 type 2 response,
RFC 2308 isn't relevant to this domain. The responses aren't NXDOMAIN, so section 2.1 doesn't apply, and the response includes answers, so section 2.2 doens't apply. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ - I xn--zr8h punycode Fisher, German Bight: South, veering west or southwest, 4 or 5, increasing 6 at times. Slight or moderate. Occasional rain. Good, occasionally poor.
Tony Finch wrote:
Joe Maimon <jmaimon@ttec.com> wrote:
www.kissimmee.org
Windows appears to believe the rfc2308 type 2 response,
RFC 2308 isn't relevant to this domain. The responses aren't NXDOMAIN, so section 2.1 doesn't apply, and the response includes answers, so section 2.2 doens't apply.
Tony.
We must be reading different things. NXDOMAIN RESPONSE: TYPE 2. Header: RDCODE=NXDOMAIN Query: AN.EXAMPLE. A Andrews Standards Track [Page 3] RFC 2308 DNS NCACHE March 1998 Answer: AN.EXAMPLE. CNAME TRIPPLE.XX. Authority: XX. SOA NS1.XX. HOSTMASTER.NS1.XX. .... Additional: <empty> c:\Documents and Settings\joe.JOE.000>c:\programs\bind\bin\dig.exe www.kissimmee .org @ns1.nameresolve.com ; <<>> DiG 9.10a2 <<>> www.kissimmee.org @ns1.nameresolve.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36437 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;www.kissimmee.org. IN A ;; ANSWER SECTION: www.kissimmee.org. 3600 IN CNAME kissimmee-fl.vts.hosting. ;; AUTHORITY SECTION: hosting. 3600 IN SOA ns2.nshosts.com. info.webstrikes olutions.com.hosting. 1089178331 900 3600 604800 3600 ;; Query time: 62 msec ;; SERVER: 66.96.142.146#53(66.96.142.146) ;; WHEN: Thu Aug 11 08:36:59 Eastern Daylight Time 2016 ;; MSG SIZE rcvd: 163
participants (4)
-
Joe Maimon
-
Mark Andrews
-
Tony Finch
-
William Herrin