DNS Failures

Mark_Andrews at iengines.com Mark_Andrews at iengines.com
Thu Oct 28 04:41:04 UTC 1999 

> I posted an article a while ago with regards to port 53 on our DNS hanging up
>  
> once or twice a week. Well I believe I have solved the problem, but I would 
> still like to know why? 
> 
> I traced 3 of the failures to a simple DNS request that was submitted using T
> CP 
> rather than UDP. Coincidently, all 3 requests were from different domains for
>  
> the same Domain Name that we host for a client. The requests were not for the
>  
> server itself, and received a negative response. After these requests, port 5
> 3 
> shut down and would not respond to any further requests. All other ports stil
> l 
> responded correctly.
> 
> We were using Version 2.1 of MetaInfo's port of BIND, and NT 3.51 SP5. MetaIn
> fo 
> was of no assistance what-so-ever. Since I had to upgrade the operating syste
> m 
> to be able to upgrade the DNS, I undertook that step first. It has been runni
> ng 
> on NT 4.0 SP3 now for almost 2 weeks and no failures. This is a relatively lo
> w 
> powered machine, and my concerns about resource utilzation proved to be 
> unfounded. Other when operating the server locally, resourse utilization is 
> actually better under 4.0.
> 
> But my real question is why did we suddenly start to have problems after 2 
> years of no problems at all? Why did we suddenly start to see simple DNS 
> requests using TCP? The RFC's strongly recommend using UDP because of the muc
> h 
> better efficiency. Is there some new function or feature that people have 
> started using?
> 
> Any light on the subject would be much appreciated.
> 
> J.A. Coutts
> Systems Engineer
> Edsonet/TravPro
> 
> 

	Because someone said that the UPDATE protocol was insecure,
	which it is without some sort if crypotograhic signatures,
	from there decided that we will try to forge updates and
	distributed a kiddy scripts to do this.

	This neglected the fact that UPDATES are disabled by default.
	So it won't be effective unless you happen to guess which
	addresses have been allowed to perform the update.  BIND 8.2.2
	supports cryptographic signatures for authentication as an
	alternative to IP address based acls.

	Now what happens is these forged updates are rejected and
	a REFUSED message is sent back.  Named then reads EOF on
	the socket and closes it.  However the socket also has a
	linger interval of 120 seconds on it so what is happening
	is that the close pauses for 120 seconds while it waits
	for the linger interval to expire trying to sent the REFUSED
	message.  This is not a problem with real tcp connections as
	the client will have read the answer prior to the close hence
	the linger interval does not come into play.

	Normal operation however does not need the linger interval
	so it has been removed in BIND 8.2.2.  The client is supposed
	to close the connection and it should have read everything
	by then. It was copied over from BIND 4 where is was needed
	for outgoing zone transfers. BIND 4 forks for outgoing zone
	transfers then closes the socket after the final SOA is
	written.  Without the linger outgoing zone transfers were
	being truncated.  

	For this to be a problem you need a IP stack where it is
	easy to forge a connection.

	Mark
--
Mark Andrews, Internet Engines Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at iengines.com

More information about the bind-users mailing list