Is my BIND Server's Cache Poisioned ?
Hi, I met a strange problem with my cache server, which runs BIND9.3.1. In past days, our customers complaint that three domain names (www.hangzhou.gov.cn, www.zpepc.com.cn) could not be resolved frequently. I checked on the cache server and found, when the cache server could not resolve www.hangzhou.gov.cn (www.zpepc.com.cn) I can solve the problem by running "rndc flush". The debugging output of named process has the following output when it could not resolve www.hangzhou.gov.cn. Do that mean my cache server is poisioned for these two domain name? =============================== 24-Jun-2005 19:02:00.015 client 202.101.172.148#32769: UDP request 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: request is not signed 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: recursion available 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: query 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: query (cache) 'www.hangzhou.gov.cn/A/I N' approved 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: replace 24-Jun-2005 19:02:00.026 clientmgr @2addf8: createclients 24-Jun-2005 19:02:00.026 clientmgr @2addf8: create new 24-Jun-2005 19:02:00.026 client @3c19f28: create 24-Jun-2005 19:02:00.026 createfetch: www.hangzhou.gov.cn A 24-Jun-2005 19:02:00.026 client @3c19f28: udprecv 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): create 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): join 24-Jun-2005 19:02:00.026 fetch 2739250 (fctx 37ad318(www.hangzhou.gov.cn/A)): created 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): start 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): try 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): getaddresses 24-Jun-2005 19:02:00.027 fctx 37ad318(www.hangzhou.gov.cn/A'): query 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): send 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): sent 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): senddone 24-Jun-2005 19:02:00.049 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): response 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): noanswer_response 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cache_message 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelquery 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): try 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): getaddresses 24-Jun-2005 19:02:00.050 fctx 37ad318(www.hangzhou.gov.cn/A'): query 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): send 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): sent 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): senddone 36 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): noanswer_response 37 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cache_message 38 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelquery 39 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 40 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): try 41 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 42 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): getaddresses 43 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): query 44 24-Jun-2005 19:02:00.052 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): send 45 24-Jun-2005 19:02:00.053 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): sent 46 24-Jun-2005 19:02:00.053 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): senddone 47 24-Jun-2005 19:02:00.054 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): response 48 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): answer_response 49 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): cache_message 50 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): clone_results 51 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelquery 52 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): done 53 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): stopeverything 54 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 55 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): sendevents 56 24-Jun-2005 19:02:00.054 fetch 2739250 (fctx 37ad318(www.hangzhou.gov.cn/A)): destroyfetch 57 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): shutdown =============================== regards Joe __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 1GB free storage! http://sg.info.mail.yahoo.com
Hi,
I met a strange problem with my cache server, which runs BIND9.3.1.
In past days, our customers complaint that three domain names (www.hangzhou.gov.cn, www.zpepc.com.cn) could not be resolved frequently. I checked on the cache server and found, when the cache server could not resolve www.hangzhou.gov.cn (www.zpepc.com.cn) I can solve the problem by running "rndc flush".
The debugging output of named process has the following output when it could not resolve www.hangzhou.gov.cn.
Do that mean my cache server is poisioned for these two domain name?
No. These are just a mis-configured zones. hangzhou.gov.cn only has glue records for the nameservers. zpepc.com.cn has CNAMEs for the nameservers. Both of these misconfigurations are visible to nameservers that are IPv6 aware. Nameservers that are not IPv6 aware are not likely to make the queries that make these misconfigurations visible. Flushing the cache temporarily hides the misconfiguration. Mark % dig dns2.hangzhou.gov.cn @sld-ns1.cnnic.net.cn ; <<>> DiG 8.3 <<>> dns2.hangzhou.gov.cn @sld-ns1.cnnic.net.cn ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 110 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; QUERY SECTION: ;; dns2.hangzhou.gov.cn, type = A, class = IN ;; AUTHORITY SECTION: hangzhou.gov.cn. 12H IN NS dns.hangzhou.gov.cn. hangzhou.gov.cn. 12H IN NS dns2.hangzhou.gov.cn. ;; ADDITIONAL SECTION: dns.hangzhou.gov.cn. 12H IN A 218.108.246.45 dns2.hangzhou.gov.cn. 12H IN A 60.191.40.77 ;; Total query time: 338 msec ;; FROM: drugs.dv.isc.org to SERVER: 159.226.1.3 ;; WHEN: Thu Jun 30 13:30:32 2005 ;; MSG SIZE sent: 38 rcvd: 102 % dig dns2.hangzhou.gov.cn @60.191.40.77 ; <<>> DiG 8.3 <<>> dns2.hangzhou.gov.cn @60.191.40.77 ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38698 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; dns2.hangzhou.gov.cn, type = A, class = IN ;; AUTHORITY SECTION: hangzhou.gov.cn. 1H IN SOA dns.hangzhou.gov.cn. mail.hz.gov.cn. ( 2005062401 ; serial 1H ; refresh 30M ; retry 1w3d ; expiry 1H ) ; minimum ;; Total query time: 6365 msec ;; FROM: drugs.dv.isc.org to SERVER: 60.191.40.77 ;; WHEN: Thu Jun 30 13:30:52 2005 ;; MSG SIZE sent: 38 rcvd: 86 % % dig ns1.zpepc.com.cn @202.107.201.1 ; <<>> DiG 8.3 <<>> ns1.zpepc.com.cn @202.107.201.1 ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23703 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; ns1.zpepc.com.cn, type = A, class = IN ;; ANSWER SECTION: ns1.zpepc.com.cn. 1D IN CNAME 202-107-201-1.zpepc.com.cn. 202-107-201-1.zpepc.com.cn. 1D IN A 202.107.201.1 ;; AUTHORITY SECTION: zpepc.com.cn. 1D IN NS ns1.zpepc.com.cn. ;; Total query time: 5593 msec ;; FROM: drugs.dv.isc.org to SERVER: 202.107.201.1 ;; WHEN: Thu Jun 30 13:35:12 2005 ;; MSG SIZE sent: 34 rcvd: 92 %
===============================
24-Jun-2005 19:02:00.015 client 202.101.172.148#32769: UDP request 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: request is not signed 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: recursion available 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: query 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: query (cache) 'www.hangzhou.gov.cn/A/I N' approved 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: replace 24-Jun-2005 19:02:00.026 clientmgr @2addf8: createclients 24-Jun-2005 19:02:00.026 clientmgr @2addf8: create new 24-Jun-2005 19:02:00.026 client @3c19f28: create 24-Jun-2005 19:02:00.026 createfetch: www.hangzhou.gov.cn A 24-Jun-2005 19:02:00.026 client @3c19f28: udprecv 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): create 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): join 24-Jun-2005 19:02:00.026 fetch 2739250 (fctx 37ad318(www.hangzhou.gov.cn/A)): created 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): start 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): try 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): getaddresses 24-Jun-2005 19:02:00.027 fctx 37ad318(www.hangzhou.gov.cn/A'): query 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): send 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): sent 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): senddone 24-Jun-2005 19:02:00.049 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): response 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): noanswer_response 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cache_message 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelquery 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): try 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): getaddresses 24-Jun-2005 19:02:00.050 fctx 37ad318(www.hangzhou.gov.cn/A'): query 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): send 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): sent 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): senddone 36 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): noanswer_response 37 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cache_message 38 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelquery 39 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 40 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): try 41 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 42 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): getaddresses 43 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): query 44 24-Jun-2005 19:02:00.052 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): send 45 24-Jun-2005 19:02:00.053 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): sent 46 24-Jun-2005 19:02:00.053 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): senddone 47 24-Jun-2005 19:02:00.054 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): response 48 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): answer_response 49 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): cache_message 50 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): clone_results 51 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelquery 52 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): done 53 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): stopeverything 54 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 55 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): sendevents 56 24-Jun-2005 19:02:00.054 fetch 2739250 (fctx 37ad318(www.hangzhou.gov.cn/A)): destroyfetch 57 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): shutdown
===============================
regards
Joe
__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 1GB free storage! http://sg.info.mail.yahoo.com
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
i On Thu, 30 Jun 2005, Mark Andrews wrote:
No. These are just a mis-configured zones.
hangzhou.gov.cn only has glue records for the nameservers. zpepc.com.cn has CNAMEs for the nameservers.
Both of these misconfigurations are visible to nameservers that are IPv6 aware. Nameservers that are not IPv6 aware are not likely to make the queries that make these misconfigurations visible.
Why would these dns misconfigurations be visible only to IPV6-aware servers? -- William Leibzon Elan Networks william@elan.net
i On Thu, 30 Jun 2005, Mark Andrews wrote:
No. These are just a mis-configured zones.
hangzhou.gov.cn only has glue records for the nameservers. zpepc.com.cn has CNAMEs for the nameservers.
Both of these misconfigurations are visible to nameservers that are IPv6 aware. Nameservers that are not IPv6 aware are not likely to make the queries that make these misconfigurations visible.
Why would these dns misconfigurations be visible only to IPV6-aware servers?
Because IPv6 aware nameservers make AAAA queries for the IPv6 addresses of the nameservers and as a result see the NXDOMAIN / CNAME. The IPv4 only nameservers don't make these queries, as a matter of practice, and only see the problems if some client of the nameserver makes a query for some records with the same name as that of the nameservers. Mark
-- William Leibzon Elan Networks william@elan.net -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
Hi, thanks for the help.
Because IPv6 aware nameservers make AAAA queries for the IPv6 addresses of the nameservers and as a result see the NXDOMAIN / CNAME. The IPv4 only nameservers don't make these queries, as a matter of practice, and only see the problems if some client of the nameserver makes a query for some records with the same name as that of the nameservers.
I've run BIND9 cache server with -4 option. Is there any way to make BIND9 fault tolerant? Joe __________________________________ Meet your soulmate! Yahoo! Asia presents Meetic - where millions of singles gather http://asia.yahoo.com/meetic
On 30/06/05, Joe Shen <joe_hznm@yahoo.com.sg> wrote:
I've run BIND9 cache server with -4 option. Is there any way to make BIND9 fault tolerant?
It is pretty tolerant of its own faults. But in this case it is simply following the dns spec. You could say it is not tolerant of other people's faults, but neither should you be, in cases like this! -- Suresh Ramasubramanian (ops.lists@gmail.com)
participants (4)
-
Joe Shen
-
Mark Andrews
-
Suresh Ramasubramanian
-
william(at)elan.net