Bind 8.2.3 picking up bogus .com data

Chris Teakle ccteakle at its.uq.edu.au
Fri Apr 20 15:31:51 UTC 2001


We are experiencing a problem at our site with a Bind 8.2.3 named
occasionally caching false NXDOMAINs for legitimate .com records.

In each case the bad data appears to have originated at ns1.hi2000.net,
which maintains a bogus NS list for .com consisting of ns1.hi2000.net
and ns2.hi2000.net.

An example of such an occurence is as follows - our nameserver
krefti.cc.uq.edu.au had cached a false NXDOMAIN for www.anz.com,
quoting a bogus .com SOA from ns1.hi2000.net:

  yarama% date; dig @krefti www.anz.com
  Mon Apr  9 22:01:44 GMT+1000 2001

  ; <<>> DiG 2.2 <<>> @krefti www.anz.com 
  ; (1 server found)
  ;; res options: init recurs defnam dnsrch
  ;; got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10
  ;; flags: qr rd ra; Ques: 1, Ans: 0, Auth: 1, Addit: 0
  ;; QUESTIONS:
  ;;      www.anz.com, type = A, class = IN

  ;; AUTHORITY RECORDS:
  com.    5490    SOA     ns1.hi2000.net. hostmaster.hi2000.net. (
                          2830536819      ; serial
                          10800   ; refresh (3 hours)
                          3600    ; retry (1 hour)
                          604800  ; expire (7 days)
                          86400 ) ; minimum (1 day)

  ;; Total query time: 1 msec
  ;; FROM: yarama.cc.uq.edu.au to SERVER: krefti  130.102.2.15
  ;; WHEN: Mon Apr  9 22:01:44 2001
  ;; MSG SIZE  sent: 29  rcvd: 90

A dump file from krefti included the following:

  $ORIGIN anz.com.
  mwsd01  119569  IN      A       202.2.57.67     ;NT=5 Cr=answer [203.101.255.
15]
  SYSD01  86895   IN      A       202.2.57.59     ;NT=10 Cr=answer [203.101.255
.15]
  bastion01       119569  IN      A       203.61.225.34   ;NT=14 Cr=addtnl [203
.101.255.15]
  ;www    5023    IN      SOA     ns1.hi2000.net. hostmaster.hi2000.net. (
  ;               2830536819 10800 3600 604800 86400 );com.;NXDOMAIN      ;-$
  ;Cr=auth [211.90.223.103]
  bastion02       111406  IN      A       203.61.229.34   ;NT=11 Cr=addtnl [203
.101.255.15]

The same sort of error occurred yesterday with lookups for
wos.isiglobalnet.com, i.e. krefti was answering with NXDOMAIN and
quoting a bogus .com SOA from ns1.hi2000.net.

Of possible relevance is the fact that krefti makes use of a
forwarder.  The forwarder also runs Bind 8.2.3. There is only one level
of forwarding, i.e. the forwarder doesn't forward too, and it's
"forward first", not "forward only".

We only know that one of these problems has struck when a complaint
arrives from a user about a specific domain not working. We use "ndc
restart" as the immediate fix. I have now added the following entries
to named.conf on all our nameservers in an effort to protect them from
the hi2000.net servers:

server 202.101.43.172 { bogus yes; };
server 211.90.223.103 { bogus yes; };

Note that we have seen this error before in Bind version 8.2.2-P5,
though at the time the bogus .com data was originating somewhere else
(webpower.com).  It was reported to bind-users in August 2000 (see the
"Bind 8.2.2-P5 picking up bogus .com NS list" thread in the archive).
Someone from another site reported seeing the same thing.
Unfortunately no real solution was offered by anyone, other than a
vague suggestion that it would be less likely to occur if we stopped
using a forwarder.

I had kind of hoped that this bug would be fixed in 8.2.3, but
obviously it hasn't.

I'm interested to know:
* Are other sites experiencing the same problem?
* Is there a patch for this bug?
* Is there an effective workaround?

Regards,

--
Chris Teakle                            | c.teakle at its.uq.edu.au
Infrastructure Management,              | tel +61 7 336 53690
Information Technology Services         | http://its.uq.edu.au/
The University of Queensland, Australia


More information about the bind-users mailing list