I am having some very bizzare DNS issues and am wondering if anyone will be able to shed some light on this. A customer of ours started recieving thousands of DNS requests for a wide range of domains, mostly foreign. The requests are coming from a wide range of ips most of which respond to nslookups "ie are nameservers". I have done a whois on some of the domains and the 2 name servers having the problems don't show up, I have also check to root servers and dont see anything which would direct those domains to the name servers. Their entire T1 is full from these requests about 1.2 meg. As the customer is in the business of web hosting they can kill named nor can they put up a packet filter to fix this. Also because there are literally hundreds of diffrent domains both preforming the lookups and being looked up it is not feasable to call the admin of each one to work this out. Anyone have any ideas? Max Spaulding Internet Connect, INC. max@inc.net
It is possible that their their server started claiming false authority for a tld (eg. com) and polluted some caches or another server started claiming it was authoritative and polluted some caches. That would mean that these broken servers now think that your customer's server is authoritative for some tld. The thing to do to verify that would be to check to see what some of the servers that are querying your server think are the authoritative servers for .com, etc. Then, if you find that they do think your customer's server is authoritative, have them dump their cache to try to track back where they got that record from, etc. Oh, and make everyone upgrade their version of BIND. Unfortunately, far too many people refuse even when they know their whole world can be messed up by a broken nameserver or two unless they upgrade. If the above is the problem, then there isn't really any short term fix. You just have to get the source of the false authority records to stop, then wait until TTLs expire. On Fri, 14 Aug 1998 max@inc.net wrote:
I am having some very bizzare DNS issues and am wondering if anyone will be able to shed some light on this. A customer of ours started recieving thousands of DNS requests for a wide range of domains, mostly foreign. The requests are coming from a wide range of ips most of which respond to nslookups "ie are nameservers". I have done a whois on some of the domains and the 2 name servers having the problems don't show up, I have also check to root servers and dont see anything which would direct those domains to the name servers. Their entire T1 is full from these requests about 1.2 meg. As the customer is in the business of web hosting they can kill named nor can they put up a packet filter to fix this. Also because there are literally hundreds of diffrent domains both preforming the lookups and being looked up it is not feasable to call the admin of each one to work this out. Anyone have any ideas?
Max Spaulding Internet Connect, INC. max@inc.net
Hi,
Oh, and make everyone upgrade their version of BIND. Unfortunately, far too many people refuse even when they know their whole world can be messed up by a broken nameserver or two unless they upgrade.
Yeah. What he said. Upgrade. Please. See http://www.cert.org/advisories/CA-98.05.bind_problems.html for a few good reasons. Regards, -drc
On Sat, 15 Aug 1998, David R. Conrad wrote:
Hi,
Oh, and make everyone upgrade their version of BIND. Unfortunately, far too many people refuse even when they know their whole world can be messed up by a broken nameserver or two unless they upgrade.
Yeah. What he said. Upgrade. Please.
See http://www.cert.org/advisories/CA-98.05.bind_problems.html for a few good reasons.
To summarize for lazy people (since others would have upgraded already...): your DNS is vulnerable to manipulation (both on purpose and by accident; this is _NOT_ some rare thing, but happens more and more), the machine you run BIND on is vulnerable to root compromises, your job is vulnerable. While we are on the topic, are there any known cache pollution problems with 4.9.7 that are fixed in 8.x? I had thought that those problems were fixed in 4.9.7 but I keep think I seeing other people's 4.9.7 machines vulnerable to them.
Hi,
While we are on the topic, are there any known cache pollution problems with 4.9.7 that are fixed in 8.x?
Not that I'm aware of.
I had thought that those problems were fixed in 4.9.7 but I keep think I seeing other people's 4.9.7 machines vulnerable to them.
If you find one, please let us know asap. 8.1 fixes other problems (performance related) -- cache pollution prevention should be consistent between 4.9.x and 8.1.x. If there is a problem, we'll need to find it, fix it, and make a new release. Regards, -drc
This wouldn't be webteam.net, would it? =) This morning, Chris Yarnell from NASA pointed out the response to "dig @a.root-servers.net . soa": . 2D IN NS PANIC.WEBTEAM.NET. . 2D IN NS TORGO.WEBTEAM.NET. PANIC.WEBTEAM.NET. 2D IN A 207.67.50.8 TORGO.WEBTEAM.NET. 2D IN A 207.67.50.7 I don't know how this happened, but it doesn't look pretty. =) (The "standard" zone files were okay -- .COM, .NET, etc...) /cah On Fri, Aug 14, 1998 at 11:52:09PM -0500, max@inc.net wrote: ==> I am having some very bizzare DNS issues and am wondering if anyone ==> will be able to shed some light on this. A customer of ours started ==> recieving thousands of DNS requests for a wide range of domains, ==> mostly foreign. The requests are coming from a wide range of ips ==> most of which respond to nslookups "ie are nameservers". I have done ==> a whois on some of the domains and the 2 name servers having the ==> problems don't show up, I have also check to root servers and dont see ==> anything which would direct those domains to the name servers. Their ==> entire T1 is full from these requests about 1.2 meg. As the customer ==> is in the business of web hosting they can kill named nor can they ==> put up a packet filter to fix this. Also because there are literally ==> hundreds of diffrent domains both preforming the lookups and being ==> looked up it is not feasable to call the admin of each one to work ==> this out. Anyone have any ideas? ==> ==> ==>Max Spaulding ==>Internet Connect, INC. ==>max@inc.net ==>
Craig A. Huegen wrote:
This wouldn't be webteam.net, would it? =)
This morning, Chris Yarnell from NASA pointed out the response to "dig @a.root-servers.net . soa":
. 2D IN NS PANIC.WEBTEAM.NET. . 2D IN NS TORGO.WEBTEAM.NET. PANIC.WEBTEAM.NET. 2D IN A 207.67.50.8 TORGO.WEBTEAM.NET. 2D IN A 207.67.50.7
I don't know how this happened, but it doesn't look pretty. =)
(The "standard" zone files were okay -- .COM, .NET, etc...)
/cah
How did this happen anyway? InterNIC? Postel? Doesn't this error imply that a percentage of the Internet was unresolvable by the entire planet? It would really be great to find out what chain of events got us a root nameserver on our network; not that we wouldn't mind donating the resources to run one - it would just be nice to know in advance. :-) Maybe we can get bilateral peering with BBN since we have a root server, Ryan Brooks ryan@inc.net CTO, Internet Connect, Inc.
On Sat, Aug 15, 1998 at 04:13:49AM -0500, Ryan K. Brooks wrote: ==>How did this happen anyway? InterNIC? Postel? Doesn't this error imply that ==>a percentage of the Internet was unresolvable by the entire planet? No. It means that any mis-spelled top-level domain went to you. So you got all the traffic for .ent, .ocm, .cmo, .nte, etc domains =) (.net and .com permutations for those of you who didn't see it) /cah
After looking at the DIG output posted I would have to agree with how this _should_ have manifested itself (mispelled TLDs only, because of the SOA) - But packet dumps showed the lookups contained lots of valid domains, tons of stuff in .mg, .il, .uk, .gov and to a latter extent .com and .net (but only largish sites like excite, yahoo, etc). Ryan Brooks ryan@inc.net CTO, Internet Connect, Inc. Craig A. Huegen wrote:
On Sat, Aug 15, 1998 at 04:13:49AM -0500, Ryan K. Brooks wrote:
==>How did this happen anyway? InterNIC? Postel? Doesn't this error imply that ==>a percentage of the Internet was unresolvable by the entire planet?
No. It means that any mis-spelled top-level domain went to you.
So you got all the traffic for .ent, .ocm, .cmo, .nte, etc domains =)
(.net and .com permutations for those of you who didn't see it)
/cah
participants (6)
-
Craig A. Huegen
-
David R. Conrad
-
Marc Slemko
-
max@inc.net
-
Ryan Brooks
-
Ryan K. Brooks