DNS problem - please help! {Scanned}
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Wed Dec 31 22:54:58 UTC 2003
> Mark,
>
> Can you please elaborate further? I think maybe the reason you didn't get a
> complete traceroute is because we block ICMP ping requests.
It really is a myth that you need to block all ICMP echo
requests. All blocking ICMP echo requests does is make
diagnosing problems harder. It does NOT, in general, protect
your machines.
What you need to block is ICMP ping requests to the directed
broadcast addresses. This stops SMURF amplification attacks
using your machines. Even then you should send back
administritively prohibited ICMP message. ICMP is allowed
in response to ICMP. What is not allowed is ICMP in reponse
to ICMP *error* messages.
Most routers these days have a switch to block directed
broadcast traffic so it shouldn't be a problem.
As for worm generated ICMP echo requests, these are easy
to identify (with some false positives) and drop w/o affecting
the usefulness of ICMP echo.
I haven't seen any drop off yet in the ICMP echo request
traffic with the New Year. Maybe the boxes need to be
rebooted to get the worm to eradicate itself.
ICMP administritively prohibited should also be sent back
for other packets that you drop.
Note: I can reach ns1.wppi.net now.
; <<>> DiG 8.3 <<>> mcbc-dc.org soa @ns1.wppi.net
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28495
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;; mcbc-dc.org, type = SOA, class = IN
;; ANSWER SECTION:
mcbc-dc.org. 1D IN SOA ns1.wppi.net. admin.wppi.net. (
2003122006 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
;; AUTHORITY SECTION:
mcbc-dc.org. 1D IN NS ns1.wppi.net.
mcbc-dc.org. 1D IN NS ns2.wppi.net.
;; ADDITIONAL SECTION:
ns1.wppi.net. 2H IN A 68.166.149.45
ns2.wppi.net. 2H IN A 68.166.149.50
;; Total query time: 255 msec
;; FROM: drugs.dv.isc.org to SERVER: 68.166.149.45
;; WHEN: Thu Jan 1 09:54:30 2004
;; MSG SIZE sent: 29 rcvd: 147
> The interesting
> thing is if I ssh to the dns box and try 'dig domain' which the dns has
> records for that some domains work while others don't:
>
> # dig ultraphotos.com @ns1.wppi.net
>
> ; <<>> DiG 8.3 <<>> ultraphotos.com @ns1.wppi.net
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
> ;; QUERY SECTION:
> ;; ultraphotos.com, type = A, class = IN
>
> ;; ANSWER SECTION:
> ultraphotos.com. 1h59m3s IN A 68.166.149.38
>
> ;; AUTHORITY SECTION:
> ultraphotos.com. 1d16h54m22s IN NS ns1.wppi.net.
> ultraphotos.com. 1d16h54m22s IN NS ns2.wppi.net.
> ultraphotos.com. 1d16h54m22s IN NS ns2.zoneedit.com.
> ultraphotos.com. 1d16h54m22s IN NS ns4.zoneedit.com.
>
> ;; ADDITIONAL SECTION:
> ns1.wppi.net. 1d4h2m51s IN A 68.166.149.45
> ns2.wppi.net. 1d4h2m51s IN A 68.166.149.50
> ns2.zoneedit.com. 1d4h9m5s IN A 64.247.9.98
> ns4.zoneedit.com. 1d4h9m5s IN A 216.98.150.236
>
> ;; Total query time: 12 msec
> ;; FROM: ns1.wppi.net to SERVER: ns1.wppi.net 68.166.149.45
> ;; WHEN: Wed Dec 31 09:38:14 2003
> ;; MSG SIZE sent: 33 rcvd: 202
> ------------
> Which leaves me to beleive that it must be something wrong w/ bind because
> some domains work while others don't.
>
> Thanks,
>
> SW
>
> ----- Original Message -----
> From: <Mark_Andrews at isc.org>
> To: "K B Hariharan" <kbh at hub.nic.in>
> Cc: <wppiphoto at wppi.com>; <bind-users at isc.org>;
> <cobalt-users at list.cobalt.com>
> Sent: Wednesday, December 31, 2003 4:30 AM
> Subject: Re: DNS problem - please help! {Scanned}
>
>
>
> > hi
> >
> > I think the hyphen in the domain name is giving the problem c'd you pl.
> > replace it with the . and check... Some of the bind versions are not
> > accepting the hyphen in the domain name like yours..
>
> Whatever the problem is it is not due to the hypen.
>
> # tcpdump -n -p -i sis0 host ns1.wppi.net or icmp
> tcpdump: listening on sis0
> 20:27:01.388848 211.30.120.24.4392 > 68.166.149.45.53: 39194 SOA?
> mcbc-dc.org. (29)
> 20:27:06.395837 211.30.120.24.4392 > 68.166.149.45.53: 39194 SOA?
> mcbc-dc.org. (29)
>
> I would say that it is just a plain old routing problem.
>
> traceroute to ns1.wppi.net (68.166.149.45), 64 hops max, 44 byte packets
> 1 10.27.64.1 (10.27.64.1) 6.144 ms 5.877 ms 7.304 ms
> 2 carlnfd1-ge0-1.cm.optusnet.com.au (198.142.34.68) 6.579 ms 14.002 ms
> 15.118 ms
> 3 bla4-pos6-3.gw.optusnet.com.au (198.142.192.93) 16.270 ms 7.053 ms
> 7.941 ms
> 4 mas2-pos4-1.gw.optusnet.com.au (211.29.129.121) 9.251 ms 9.268 ms
> 9.911 ms
> 5 mas5-ge1-1.gw.optusnet.com.au (211.29.129.145) 10.599 ms 8.788 ms
> 10.896 ms
> 6 mas3-ge2-1.gw.optusnet.com.au (211.29.129.33) 13.671 ms 11.006 ms
> 9.088 ms
> 7 61.88.136.13 (61.88.136.13) 8.449 ms 15.891 ms 13.314 ms
> 8 203.208.148.101 (203.208.148.101) 170.856 ms 175.563 ms 181.707 ms
> 9 ge-2-1.hsa3.SanJose1.Level3.net (65.57.244.1) 168.127 ms 166.784 ms
> 166.281 ms
> 10 unknown.Level3.net (209.244.13.229) 169.488 ms 169.953 ms 168.160 ms
> 11 ge-0-3-0.bbr1.SanJose1.Level3.net (4.68.112.49) 172.525 ms 170.217 ms
> 169.717 ms
> 12 as-3-0.bbr1.Washington1.Level3.net (64.159.3.254) 245.047 ms 244.684
> ms 244.099 ms
> 13 ge-7-1.ipcolo1.Washington1.Level3.net (64.159.18.67) 243.935 ms
> 247.539 ms 243.370 ms
> 14 unknown.Level3.net (63.210.41.194) 242.638 ms 246.604 ms 243.186 ms
> 15 * * *
> 16 * * *
> 17 *^C
>
>
> > change from mcbc-dc.org to mcbc.dc.org.
> >
> > Thanks
> >
> > K B Hariharan
> > Systems Analyst
> > NIC HQ, New Delhi
> >
> > > I have about 8 sites running on a Raq4 linux box and everything was
> > > working fine w/ bind until a few days ago when some of the domains can't
> > > be reached:
> > >
> > > # nslookup mcbc-dc.org
> > > Server: h-68-166-149-45.MCLNVA23.covad.net
> > > Address: 68.166.149.45
> > > *** h-68-166-149-45.MCLNVA23.covad.net can't find mcbc-dc.org:
> > > Non-existent host/domain
> > >
> > > I've checked to make sure everthing is correctly but can't seem to find
> > > what is wrong. Can someone help?
> > >
> > > /etc/named.conf, I have the following:
> > >
> > > zone "mcbc-dc.org" { type master; file "pri.mcbc-dc.org"; allow-query {
> > > any; };
> > >
> > > In /etc/named/pri.mcbc-dc.org, I have the following:
> > >
> > > $TTL 86400
> > > mcbc-dc.org. IN SOA ns1.wppi.net. admin.wppi.net. (
> > > 2003122006
> > > 10800
> > > 3600
> > > 604800
> > > 86400
> > > )
> > > mcbc-dc.org. IN NS ns1.wppi.net.
> > > mcbc-dc.org. IN NS ns2.wppi.net.
> > >
> > > mcbc-dc.org. in a 68.166.149.35
> > > www.mcbc-dc.org. in a 68.166.149.35
> > > mcbc-dc.org. in mx 30 www.mcbc-dc.org.
> > >
> > > -----------------
> > > Also, when I reboot the box (Raq4) it sits for about 15 minutes saying
> > > 'Loading DNS Server' which it never used to do.
> > >
> > > Thanks,
> > >
> > > SW
> > >
> > >
> > >
> > > -------------------------------------------------
> > > WPPi.com | WPPi.Net
> > > -------------------------------------------------
> > > http://www.wppi.com | http://www.wppi.net
> > > -------------------------------------------------
> > > WPPi.com & WPPi.Net MailScanner Signature
> > > This message has been scanned for viruses
> > > and dangerous content by WPPi MailScanner,
> > > and has been found to be clean.
> > > -------------------------------------------------
> >
> >
> > K B Hariharan
> > Scientis 'B'
> > WAN/Internet Div
> > NIC HQ
> > New Delhi
> > E-mail : kbh at hub.nic.in
> >
> >
> >
> >
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
>
>
> -------------------------------------------------
> WPPi.com | WPPi.Net
> -------------------------------------------------
> http://www.wppi.com | http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
>
>
>
>
> -------------------------------------------------
> WPPi.com | WPPi.Net
> -------------------------------------------------
> http://www.wppi.com | http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list