Bind 8.2.3 picking up bogus .com data

Kevin Darcy kcd at daimlerchrysler.com
Fri Apr 20 18:33:22 UTC 2001


After many messages back and forth, I finally got the webpower.com folks to stop
claiming authority for .com and polluting the Internet with bogus referral
information. The same thing needs to be done with the hi2000.net folks. Threaten
to report them to their registrar (Network Solutions), if necessary.

Until they fix this, everyone should declare these servers "bogus".


- Kevin

Chris Teakle wrote:

> We are experiencing a problem at our site with a Bind 8.2.3 named
> occasionally caching false NXDOMAINs for legitimate .com records.
>
> In each case the bad data appears to have originated at ns1.hi2000.net,
> which maintains a bogus NS list for .com consisting of ns1.hi2000.net
> and ns2.hi2000.net.
>
> An example of such an occurence is as follows - our nameserver
> krefti.cc.uq.edu.au had cached a false NXDOMAIN for www.anz.com,
> quoting a bogus .com SOA from ns1.hi2000.net:
>
>   yarama% date; dig @krefti www.anz.com
>   Mon Apr  9 22:01:44 GMT+1000 2001
>
>   ; <<>> DiG 2.2 <<>> @krefti www.anz.com
>   ; (1 server found)
>   ;; res options: init recurs defnam dnsrch
>   ;; got answer:
>   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10
>   ;; flags: qr rd ra; Ques: 1, Ans: 0, Auth: 1, Addit: 0
>   ;; QUESTIONS:
>   ;;      www.anz.com, type = A, class = IN
>
>   ;; AUTHORITY RECORDS:
>   com.    5490    SOA     ns1.hi2000.net. hostmaster.hi2000.net. (
>                           2830536819      ; serial
>                           10800   ; refresh (3 hours)
>                           3600    ; retry (1 hour)
>                           604800  ; expire (7 days)
>                           86400 ) ; minimum (1 day)
>
>   ;; Total query time: 1 msec
>   ;; FROM: yarama.cc.uq.edu.au to SERVER: krefti  130.102.2.15
>   ;; WHEN: Mon Apr  9 22:01:44 2001
>   ;; MSG SIZE  sent: 29  rcvd: 90
>
> A dump file from krefti included the following:
>
>   $ORIGIN anz.com.
>   mwsd01  119569  IN      A       202.2.57.67     ;NT=5 Cr=answer [203.101.255.
> 15]
>   SYSD01  86895   IN      A       202.2.57.59     ;NT=10 Cr=answer [203.101.255
> .15]
>   bastion01       119569  IN      A       203.61.225.34   ;NT=14 Cr=addtnl [203
> .101.255.15]
>   ;www    5023    IN      SOA     ns1.hi2000.net. hostmaster.hi2000.net. (
>   ;               2830536819 10800 3600 604800 86400 );com.;NXDOMAIN      ;-$
>   ;Cr=auth [211.90.223.103]
>   bastion02       111406  IN      A       203.61.229.34   ;NT=11 Cr=addtnl [203
> .101.255.15]
>
> The same sort of error occurred yesterday with lookups for
> wos.isiglobalnet.com, i.e. krefti was answering with NXDOMAIN and
> quoting a bogus .com SOA from ns1.hi2000.net.
>
> Of possible relevance is the fact that krefti makes use of a
> forwarder.  The forwarder also runs Bind 8.2.3. There is only one level
> of forwarding, i.e. the forwarder doesn't forward too, and it's
> "forward first", not "forward only".
>
> We only know that one of these problems has struck when a complaint
> arrives from a user about a specific domain not working. We use "ndc
> restart" as the immediate fix. I have now added the following entries
> to named.conf on all our nameservers in an effort to protect them from
> the hi2000.net servers:
>
> server 202.101.43.172 { bogus yes; };
> server 211.90.223.103 { bogus yes; };
>
> Note that we have seen this error before in Bind version 8.2.2-P5,
> though at the time the bogus .com data was originating somewhere else
> (webpower.com).  It was reported to bind-users in August 2000 (see the
> "Bind 8.2.2-P5 picking up bogus .com NS list" thread in the archive).
> Someone from another site reported seeing the same thing.
> Unfortunately no real solution was offered by anyone, other than a
> vague suggestion that it would be less likely to occur if we stopped
> using a forwarder.
>
> I had kind of hoped that this bug would be fixed in 8.2.3, but
> obviously it hasn't.
>
> I'm interested to know:
> * Are other sites experiencing the same problem?
> * Is there a patch for this bug?
> * Is there an effective workaround?
>
> Regards,
>
> --
> Chris Teakle                            | c.teakle at its.uq.edu.au
> Infrastructure Management,              | tel +61 7 336 53690
> Information Technology Services         | http://its.uq.edu.au/
> The University of Queensland, Australia





More information about the bind-users mailing list