Bind 8.2.3 picking up bogus .com data
Chris Teakle
ccteakle at its.uq.edu.au
Fri Apr 20 15:31:51 UTC 2001
We are experiencing a problem at our site with a Bind 8.2.3 named
occasionally caching false NXDOMAINs for legitimate .com records.
In each case the bad data appears to have originated at ns1.hi2000.net,
which maintains a bogus NS list for .com consisting of ns1.hi2000.net
and ns2.hi2000.net.
An example of such an occurence is as follows - our nameserver
krefti.cc.uq.edu.au had cached a false NXDOMAIN for www.anz.com,
quoting a bogus .com SOA from ns1.hi2000.net:
yarama% date; dig @krefti www.anz.com
Mon Apr 9 22:01:44 GMT+1000 2001
; <<>> DiG 2.2 <<>> @krefti www.anz.com
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10
;; flags: qr rd ra; Ques: 1, Ans: 0, Auth: 1, Addit: 0
;; QUESTIONS:
;; www.anz.com, type = A, class = IN
;; AUTHORITY RECORDS:
com. 5490 SOA ns1.hi2000.net. hostmaster.hi2000.net. (
2830536819 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
;; Total query time: 1 msec
;; FROM: yarama.cc.uq.edu.au to SERVER: krefti 130.102.2.15
;; WHEN: Mon Apr 9 22:01:44 2001
;; MSG SIZE sent: 29 rcvd: 90
A dump file from krefti included the following:
$ORIGIN anz.com.
mwsd01 119569 IN A 202.2.57.67 ;NT=5 Cr=answer [203.101.255.
15]
SYSD01 86895 IN A 202.2.57.59 ;NT=10 Cr=answer [203.101.255
.15]
bastion01 119569 IN A 203.61.225.34 ;NT=14 Cr=addtnl [203
.101.255.15]
;www 5023 IN SOA ns1.hi2000.net. hostmaster.hi2000.net. (
; 2830536819 10800 3600 604800 86400 );com.;NXDOMAIN ;-$
;Cr=auth [211.90.223.103]
bastion02 111406 IN A 203.61.229.34 ;NT=11 Cr=addtnl [203
.101.255.15]
The same sort of error occurred yesterday with lookups for
wos.isiglobalnet.com, i.e. krefti was answering with NXDOMAIN and
quoting a bogus .com SOA from ns1.hi2000.net.
Of possible relevance is the fact that krefti makes use of a
forwarder. The forwarder also runs Bind 8.2.3. There is only one level
of forwarding, i.e. the forwarder doesn't forward too, and it's
"forward first", not "forward only".
We only know that one of these problems has struck when a complaint
arrives from a user about a specific domain not working. We use "ndc
restart" as the immediate fix. I have now added the following entries
to named.conf on all our nameservers in an effort to protect them from
the hi2000.net servers:
server 202.101.43.172 { bogus yes; };
server 211.90.223.103 { bogus yes; };
Note that we have seen this error before in Bind version 8.2.2-P5,
though at the time the bogus .com data was originating somewhere else
(webpower.com). It was reported to bind-users in August 2000 (see the
"Bind 8.2.2-P5 picking up bogus .com NS list" thread in the archive).
Someone from another site reported seeing the same thing.
Unfortunately no real solution was offered by anyone, other than a
vague suggestion that it would be less likely to occur if we stopped
using a forwarder.
I had kind of hoped that this bug would be fixed in 8.2.3, but
obviously it hasn't.
I'm interested to know:
* Are other sites experiencing the same problem?
* Is there a patch for this bug?
* Is there an effective workaround?
Regards,
--
Chris Teakle | c.teakle at its.uq.edu.au
Infrastructure Management, | tel +61 7 336 53690
Information Technology Services | http://its.uq.edu.au/
The University of Queensland, Australia
More information about the bind-users
mailing list