North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Is my BIND Server's Cache Poisioned ?

  • From: Mark Andrews
  • Date: Wed Jun 29 23:55:13 2005

> Hi,
> 
> I met a strange problem with my cache server, which
> runs BIND9.3.1.
> 
> In past days, our customers complaint that three
> domain names (www.hangzhou.gov.cn, www.zpepc.com.cn)
> could not be resolved frequently. I checked on the
> cache server and found, when the cache server could
> not resolve www.hangzhou.gov.cn (www.zpepc.com.cn) I
> can solve the problem by running "rndc flush". 
> 
> The debugging output of named process has the
> following output when it could not resolve
> www.hangzhou.gov.cn.
> 
> Do that mean my cache server is poisioned for these
> two domain name? 

	No.  These are just a mis-configured zones.

	hangzhou.gov.cn only has glue records for the nameservers.
	zpepc.com.cn has CNAMEs for the nameservers.

	Both of these misconfigurations are visible to nameservers
	that are IPv6 aware.  Nameservers that are not IPv6 aware
	are not likely to make the queries that make these
	misconfigurations visible.

	Flushing the cache temporarily hides the misconfiguration.

	Mark

% dig dns2.hangzhou.gov.cn @sld-ns1.cnnic.net.cn

; <<>> DiG 8.3 <<>> dns2.hangzhou.gov.cn @sld-ns1.cnnic.net.cn 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 110
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;;      dns2.hangzhou.gov.cn, type = A, class = IN

;; AUTHORITY SECTION:
hangzhou.gov.cn.        12H IN NS       dns.hangzhou.gov.cn.
hangzhou.gov.cn.        12H IN NS       dns2.hangzhou.gov.cn.

;; ADDITIONAL SECTION:
dns.hangzhou.gov.cn.    12H IN A        218.108.246.45
dns2.hangzhou.gov.cn.   12H IN A        60.191.40.77

;; Total query time: 338 msec
;; FROM: drugs.dv.isc.org to SERVER: 159.226.1.3
;; WHEN: Thu Jun 30 13:30:32 2005
;; MSG SIZE  sent: 38  rcvd: 102

% dig dns2.hangzhou.gov.cn @60.191.40.77

; <<>> DiG 8.3 <<>> dns2.hangzhou.gov.cn @60.191.40.77 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38698
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;      dns2.hangzhou.gov.cn, type = A, class = IN

;; AUTHORITY SECTION:
hangzhou.gov.cn.        1H IN SOA       dns.hangzhou.gov.cn. mail.hz.gov.cn. (
                                        2005062401      ; serial
                                        1H              ; refresh
                                        30M             ; retry
                                        1w3d            ; expiry
                                        1H )            ; minimum


;; Total query time: 6365 msec
;; FROM: drugs.dv.isc.org to SERVER: 60.191.40.77
;; WHEN: Thu Jun 30 13:30:52 2005
;; MSG SIZE  sent: 38  rcvd: 86

% 


% dig ns1.zpepc.com.cn @202.107.201.1

; <<>> DiG 8.3 <<>> ns1.zpepc.com.cn @202.107.201.1 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23703
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;      ns1.zpepc.com.cn, type = A, class = IN

;; ANSWER SECTION:
ns1.zpepc.com.cn.       1D IN CNAME     202-107-201-1.zpepc.com.cn.
202-107-201-1.zpepc.com.cn.  1D IN A  202.107.201.1

;; AUTHORITY SECTION:
zpepc.com.cn.           1D IN NS        ns1.zpepc.com.cn.

;; Total query time: 5593 msec
;; FROM: drugs.dv.isc.org to SERVER: 202.107.201.1
;; WHEN: Thu Jun 30 13:35:12 2005
;; MSG SIZE  sent: 34  rcvd: 92

% 
> 
> ===============================
> 
> 24-Jun-2005 19:02:00.015 client 202.101.172.148#32769:
> UDP request
> 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769:
> view internal-in: request is not signed
> 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769:
> view internal-in: recursion available
> 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769:
> view internal-in: query
> 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769:
> view internal-in: query (cache)
> 'www.hangzhou.gov.cn/A/I
> N' approved
> 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769:
> view internal-in: replace
> 24-Jun-2005 19:02:00.026 clientmgr @2addf8:
> createclients
> 24-Jun-2005 19:02:00.026 clientmgr @2addf8: create new
> 24-Jun-2005 19:02:00.026 client @3c19f28: create
> 24-Jun-2005 19:02:00.026 createfetch:
> www.hangzhou.gov.cn A
> 24-Jun-2005 19:02:00.026 client @3c19f28: udprecv
> 24-Jun-2005 19:02:00.026 fctx
> 37ad318(www.hangzhou.gov.cn/A'): create
> 24-Jun-2005 19:02:00.026 fctx
> 37ad318(www.hangzhou.gov.cn/A'): join
> 24-Jun-2005 19:02:00.026 fetch 2739250 (fctx
> 37ad318(www.hangzhou.gov.cn/A)): created
> 24-Jun-2005 19:02:00.026 fctx
> 37ad318(www.hangzhou.gov.cn/A'): start
> 24-Jun-2005 19:02:00.026 fctx
> 37ad318(www.hangzhou.gov.cn/A'): try
> 24-Jun-2005 19:02:00.026 fctx
> 37ad318(www.hangzhou.gov.cn/A'): cancelqueries
> 24-Jun-2005 19:02:00.026 fctx
> 37ad318(www.hangzhou.gov.cn/A'): getaddresses
> 24-Jun-2005 19:02:00.027 fctx
> 37ad318(www.hangzhou.gov.cn/A'): query
> 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx
> 37ad318(www.hangzhou.gov.cn/A)): send
> 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx
> 37ad318(www.hangzhou.gov.cn/A)): sent
> 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx
> 37ad318(www.hangzhou.gov.cn/A)): senddone
> 24-Jun-2005 19:02:00.049 resquery 74b4870 (fctx
> 37ad318(www.hangzhou.gov.cn/A)): response
> 24-Jun-2005 19:02:00.049 fctx
> 37ad318(www.hangzhou.gov.cn/A'): noanswer_response
> 24-Jun-2005 19:02:00.049 fctx
> 37ad318(www.hangzhou.gov.cn/A'): cache_message
> 24-Jun-2005 19:02:00.049 fctx
> 37ad318(www.hangzhou.gov.cn/A'): cancelquery
> 24-Jun-2005 19:02:00.049 fctx
> 37ad318(www.hangzhou.gov.cn/A'): cancelqueries
> 24-Jun-2005 19:02:00.049 fctx
> 37ad318(www.hangzhou.gov.cn/A'): try
> 24-Jun-2005 19:02:00.049 fctx
> 37ad318(www.hangzhou.gov.cn/A'): cancelqueries
> 24-Jun-2005 19:02:00.049 fctx
> 37ad318(www.hangzhou.gov.cn/A'): getaddresses
> 24-Jun-2005 19:02:00.050 fctx
> 37ad318(www.hangzhou.gov.cn/A'): query
> 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx
> 37ad318(www.hangzhou.gov.cn/A)): send
> 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx
> 37ad318(www.hangzhou.gov.cn/A)): sent
> 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx
> 37ad318(www.hangzhou.gov.cn/A)): senddone
> 36  24-Jun-2005 19:02:00.052 fctx
> 37ad318(www.hangzhou.gov.cn/A'): noanswer_response
>     37  24-Jun-2005 19:02:00.052 fctx
> 37ad318(www.hangzhou.gov.cn/A'): cache_message
>     38  24-Jun-2005 19:02:00.052 fctx
> 37ad318(www.hangzhou.gov.cn/A'): cancelquery
>     39  24-Jun-2005 19:02:00.052 fctx
> 37ad318(www.hangzhou.gov.cn/A'): cancelqueries
>     40  24-Jun-2005 19:02:00.052 fctx
> 37ad318(www.hangzhou.gov.cn/A'): try
>     41  24-Jun-2005 19:02:00.052 fctx
> 37ad318(www.hangzhou.gov.cn/A'): cancelqueries
>     42  24-Jun-2005 19:02:00.052 fctx
> 37ad318(www.hangzhou.gov.cn/A'): getaddresses
>     43  24-Jun-2005 19:02:00.052 fctx
> 37ad318(www.hangzhou.gov.cn/A'): query
>     44  24-Jun-2005 19:02:00.052 resquery 74b4870
> (fctx 37ad318(www.hangzhou.gov.cn/A)): send
>     45  24-Jun-2005 19:02:00.053 resquery 74b4870
> (fctx 37ad318(www.hangzhou.gov.cn/A)): sent
>     46  24-Jun-2005 19:02:00.053 resquery 74b4870
> (fctx 37ad318(www.hangzhou.gov.cn/A)): senddone
>     47  24-Jun-2005 19:02:00.054 resquery 74b4870
> (fctx 37ad318(www.hangzhou.gov.cn/A)): response
>     48  24-Jun-2005 19:02:00.054 fctx
> 37ad318(www.hangzhou.gov.cn/A'): answer_response
>     49  24-Jun-2005 19:02:00.054 fctx
> 37ad318(www.hangzhou.gov.cn/A'): cache_message
>     50  24-Jun-2005 19:02:00.054 fctx
> 37ad318(www.hangzhou.gov.cn/A'): clone_results
>     51  24-Jun-2005 19:02:00.054 fctx
> 37ad318(www.hangzhou.gov.cn/A'): cancelquery
>     52  24-Jun-2005 19:02:00.054 fctx
> 37ad318(www.hangzhou.gov.cn/A'): done
>     53  24-Jun-2005 19:02:00.054 fctx
> 37ad318(www.hangzhou.gov.cn/A'): stopeverything
>     54  24-Jun-2005 19:02:00.054 fctx
> 37ad318(www.hangzhou.gov.cn/A'): cancelqueries
>     55  24-Jun-2005 19:02:00.054 fctx
> 37ad318(www.hangzhou.gov.cn/A'): sendevents
>     56  24-Jun-2005 19:02:00.054 fetch 2739250 (fctx
> 37ad318(www.hangzhou.gov.cn/A)): destroyfetch
>     57  24-Jun-2005 19:02:00.054 fctx
> 37ad318(www.hangzhou.gov.cn/A'): shutdown
> 
> =============================== 
> 
> 
> regards
> 
> Joe
> 
> 
> 
> 	
> 	
> 		
> __________________________________ 
> Do you Yahoo!? 
> New and Improved Yahoo! Mail - 1GB free storage! 
> http://sg.info.mail.yahoo.com
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [email protected]