North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

dnsauth3.sys.gtei.net DNS record is poisoned???

  • From: Joe Shen
  • Date: Wed Feb 15 11:08:02 2006
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.sg; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=tVxZfmZVToHZBYnRCDa9KYdwrSBIzbhn0XuS7p4G1CeuYI6WW+EIJyTsSYj5MTzZZcGms/DAglvckZeCD26pkbdqIaRL6iEkf8TTuluqWUZHDgiycbol8WD15w59L8Fh/OSsOhkgivBg0bM9skzNBqR5woHvZqwEmWQpslnU/0U= ;

Hi,

Today, some of our customers could not resolve
state.gov by our cache server. 

I found state.gov is served by dnsauth1.sys.gtei.net,
dnsauth2.sys.gtei.net, dnsauth3.sys.gtei.net. Using
some others' DNS servers I found their IP addresses
should be 4.2.49.2, 4.2.49.3, 4.2.49.4. But, our cache
server(BIND9.3.1) got some othere IPs( I've tried
restart bind9.3.1). So, it always failed to resolve
state.gov. After restarting BIND9.3.1 again, I did
"rndc flush" for several times, then it comes back. 

Why? is there something poisoned ?

Joe



=========== BIND9 got wrong server IP ====

> set debug
> dnsauth1.sys.gtei.net
Server:  dnsv2.zjhzptt.net.cn
Address:  202.101.172.133

;; res_nmkquery(QUERY, dnsauth1.sys.gtei.net, IN, A)
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 58203, rcode = NOERROR
        header flags:  response, want recursion,
recursion avail.
        questions = 1,  answers = 1,  authority
records = 3,  additional = 2

    QUESTIONS:
        dnsauth1.sys.gtei.net, type = A, class = IN
    ANSWERS:
    ->  dnsauth1.sys.gtei.net
        internet address = 128.121.126.139
        ttl = 86084 (86084)
    AUTHORITY RECORDS:
    ->  gtei.net
        nameserver = dnsauth2.sys.gtei.net
        ttl = 172565 (172565)
    ->  gtei.net
        nameserver = dnsauth3.sys.gtei.net
        ttl = 172565 (172565)
    ->  gtei.net
        nameserver = dnsauth1.sys.gtei.net
        ttl = 172565 (172565)
    ADDITIONAL RECORDS:
    ->  dnsauth2.sys.gtei.net
        internet address = 169.132.13.103
        ttl = 86084 (86084)
    ->  dnsauth3.sys.gtei.net
        internet address = 192.67.198.6
        ttl = 86084 (86084)

------------
Non-authoritative answer:
Name:    dnsauth1.sys.gtei.net
Address:  128.121.126.139

>

==============================

Restart bind and do "rndc flush" 6 times, I got:

======================

> set debug
> state.gov
Server:  hzdnsv2.zjhzptt.net.cn
Address:  202.101.172.133

;; res_nmkquery(QUERY, state.gov, IN, A)
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 20953, rcode = NOERROR
        header flags:  response, want recursion,
recursion avail.
        questions = 1,  answers = 1,  authority
records = 3,  additional = 3

    QUESTIONS:
        state.gov, type = A, class = IN
    ANSWERS:
    ->  state.gov
        internet address = 164.109.48.80
        ttl = 1778 (1778)
    AUTHORITY RECORDS:
    ->  state.gov
        nameserver = dnsauth3.sys.gtei.net
        ttl = 1778 (1778)
    ->  state.gov
        nameserver = dnsauth1.sys.gtei.net
        ttl = 1778 (1778)
    ->  state.gov
        nameserver = dnsauth2.sys.gtei.net
        ttl = 1778 (1778)
    ADDITIONAL RECORDS:
    ->  dnsauth1.sys.gtei.net
        internet address = 4.2.49.2
        ttl = 172767 (172767)
    ->  dnsauth2.sys.gtei.net
        internet address = 4.2.49.3
        ttl = 172767 (172767)
    ->  dnsauth3.sys.gtei.net
        internet address = 4.2.49.4
        ttl = 172767 (172767)

------------
Non-authoritative answer:
Name:    state.gov
Address:  164.109.48.80

>

==================================






		
__________________________________ 
Meet your soulmate!
Yahoo! Asia presents Meetic - where millions of singles gather
http://asia.yahoo.com/meetic