DNS problem - please help! {Scanned}

Mark_Andrews at isc.org Mark_Andrews at isc.org
Wed Dec 31 22:54:58 UTC 2003


> Mark,
> 
> Can you please elaborate further? I think maybe the reason you didn't get a
> complete traceroute is because we block ICMP ping requests.

	It really is a myth that you need to block all ICMP echo
	requests.  All blocking ICMP echo requests does is make
	diagnosing problems harder.  It does NOT, in general, protect
	your machines.

	What you need to block is ICMP ping requests to the directed
	broadcast addresses.  This stops SMURF amplification attacks
	using your machines.  Even then you should send back
	administritively prohibited ICMP message.  ICMP is allowed
	in response to ICMP.  What is not allowed is ICMP in reponse
	to ICMP *error* messages.

	Most routers these days have a switch to block directed
	broadcast traffic so it shouldn't be a problem.

	As for worm generated ICMP echo requests, these are easy
	to identify (with some false positives) and drop w/o affecting
	the usefulness of ICMP echo.

	I haven't seen any drop off yet in the ICMP echo request
	traffic with the New Year.  Maybe the boxes need to be
	rebooted to get the worm to eradicate itself.

	ICMP administritively prohibited should also be sent back
	for other packets that you drop.

	Note: I can reach ns1.wppi.net now.

; <<>> DiG 8.3 <<>> mcbc-dc.org soa @ns1.wppi.net 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28495
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;;	mcbc-dc.org, type = SOA, class = IN

;; ANSWER SECTION:
mcbc-dc.org.		1D IN SOA	ns1.wppi.net. admin.wppi.net. (
					2003122006	; serial
					3H		; refresh
					1H		; retry
					1W		; expiry
					1D )		; minimum


;; AUTHORITY SECTION:
mcbc-dc.org.		1D IN NS	ns1.wppi.net.
mcbc-dc.org.		1D IN NS	ns2.wppi.net.

;; ADDITIONAL SECTION:
ns1.wppi.net.		2H IN A		68.166.149.45
ns2.wppi.net.		2H IN A		68.166.149.50

;; Total query time: 255 msec
;; FROM: drugs.dv.isc.org to SERVER: 68.166.149.45
;; WHEN: Thu Jan  1 09:54:30 2004
;; MSG SIZE  sent: 29  rcvd: 147


> The interesting
> thing is if I ssh to the dns box and try 'dig domain' which the dns has
> records for that some domains work while others don't:
> 
> # dig ultraphotos.com @ns1.wppi.net
> 
> ; <<>> DiG 8.3 <<>> ultraphotos.com @ns1.wppi.net
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
> ;; QUERY SECTION:
> ;;      ultraphotos.com, type = A, class = IN
> 
> ;; ANSWER SECTION:
> ultraphotos.com.        1h59m3s IN A    68.166.149.38
> 
> ;; AUTHORITY SECTION:
> ultraphotos.com.        1d16h54m22s IN NS  ns1.wppi.net.
> ultraphotos.com.        1d16h54m22s IN NS  ns2.wppi.net.
> ultraphotos.com.        1d16h54m22s IN NS  ns2.zoneedit.com.
> ultraphotos.com.        1d16h54m22s IN NS  ns4.zoneedit.com.
> 
> ;; ADDITIONAL SECTION:
> ns1.wppi.net.           1d4h2m51s IN A  68.166.149.45
> ns2.wppi.net.           1d4h2m51s IN A  68.166.149.50
> ns2.zoneedit.com.       1d4h9m5s IN A   64.247.9.98
> ns4.zoneedit.com.       1d4h9m5s IN A   216.98.150.236
> 
> ;; Total query time: 12 msec
> ;; FROM: ns1.wppi.net to SERVER: ns1.wppi.net  68.166.149.45
> ;; WHEN: Wed Dec 31 09:38:14 2003
> ;; MSG SIZE  sent: 33  rcvd: 202
> ------------
> Which leaves me to beleive that it must be something wrong w/ bind because
> some domains work while others don't.
> 
> Thanks,
> 
> SW
> 
> ----- Original Message ----- 
> From: <Mark_Andrews at isc.org>
> To: "K B Hariharan" <kbh at hub.nic.in>
> Cc: <wppiphoto at wppi.com>; <bind-users at isc.org>;
> <cobalt-users at list.cobalt.com>
> Sent: Wednesday, December 31, 2003 4:30 AM
> Subject: Re: DNS problem - please help! {Scanned}
> 
> 
> 
> > hi
> >
> > I think the hyphen in the domain name is giving the problem c'd you pl.
> > replace it with the . and check... Some of the bind versions are not
> > accepting the hyphen in the domain name like yours..
> 
> Whatever the problem is it is not due to the hypen.
> 
> # tcpdump -n -p -i sis0 host ns1.wppi.net or icmp
> tcpdump: listening on sis0
> 20:27:01.388848 211.30.120.24.4392 > 68.166.149.45.53:  39194 SOA?
> mcbc-dc.org. (29)
> 20:27:06.395837 211.30.120.24.4392 > 68.166.149.45.53:  39194 SOA?
> mcbc-dc.org. (29)
> 
> I would say that it is just a plain old routing problem.
> 
> traceroute to ns1.wppi.net (68.166.149.45), 64 hops max, 44 byte packets
>  1  10.27.64.1 (10.27.64.1)  6.144 ms  5.877 ms  7.304 ms
>  2  carlnfd1-ge0-1.cm.optusnet.com.au (198.142.34.68)  6.579 ms  14.002 ms
> 15.118 ms
>  3  bla4-pos6-3.gw.optusnet.com.au (198.142.192.93)  16.270 ms  7.053 ms
> 7.941 ms
>  4  mas2-pos4-1.gw.optusnet.com.au (211.29.129.121)  9.251 ms  9.268 ms
> 9.911 ms
>  5  mas5-ge1-1.gw.optusnet.com.au (211.29.129.145)  10.599 ms  8.788 ms
> 10.896 ms
>  6  mas3-ge2-1.gw.optusnet.com.au (211.29.129.33)  13.671 ms  11.006 ms
> 9.088 ms
>  7  61.88.136.13 (61.88.136.13)  8.449 ms  15.891 ms  13.314 ms
>  8  203.208.148.101 (203.208.148.101)  170.856 ms  175.563 ms  181.707 ms
>  9  ge-2-1.hsa3.SanJose1.Level3.net (65.57.244.1)  168.127 ms  166.784 ms
> 166.281 ms
> 10  unknown.Level3.net (209.244.13.229)  169.488 ms  169.953 ms  168.160 ms
> 11  ge-0-3-0.bbr1.SanJose1.Level3.net (4.68.112.49)  172.525 ms  170.217 ms
> 169.717 ms
> 12  as-3-0.bbr1.Washington1.Level3.net (64.159.3.254)  245.047 ms  244.684
> ms  244.099 ms
> 13  ge-7-1.ipcolo1.Washington1.Level3.net (64.159.18.67)  243.935 ms
> 247.539 ms  243.370 ms
> 14  unknown.Level3.net (63.210.41.194)  242.638 ms  246.604 ms  243.186 ms
> 15  * * *
> 16  * * *
> 17  *^C
> 
> 
> > change from mcbc-dc.org to mcbc.dc.org.
> >
> > Thanks
> >
> > K B Hariharan
> > Systems Analyst
> > NIC HQ, New Delhi
> >
> > > I have about 8 sites running on a Raq4 linux box and everything was
> > > working fine w/ bind until a few days ago when some of the domains can't
> > > be reached:
> > >
> > > # nslookup mcbc-dc.org
> > > Server:  h-68-166-149-45.MCLNVA23.covad.net
> > > Address:  68.166.149.45
> > > *** h-68-166-149-45.MCLNVA23.covad.net can't find mcbc-dc.org:
> > > Non-existent host/domain
> > >
> > > I've checked to make sure everthing is correctly but can't seem to find
> > > what is wrong. Can someone help?
> > >
> > > /etc/named.conf, I have the following:
> > >
> > > zone "mcbc-dc.org" { type master; file "pri.mcbc-dc.org"; allow-query {
> > > any; };
> > >
> > > In /etc/named/pri.mcbc-dc.org, I have the following:
> > >
> > > $TTL 86400
> > > mcbc-dc.org. IN SOA ns1.wppi.net. admin.wppi.net. (
> > >         2003122006
> > >         10800
> > >         3600
> > >         604800
> > >         86400
> > >         )
> > > mcbc-dc.org.    IN      NS      ns1.wppi.net.
> > > mcbc-dc.org.    IN      NS      ns2.wppi.net.
> > >
> > > mcbc-dc.org.    in      a       68.166.149.35
> > > www.mcbc-dc.org.        in      a       68.166.149.35
> > > mcbc-dc.org.    in      mx      30 www.mcbc-dc.org.
> > >
> > > -----------------
> > > Also, when I reboot the box (Raq4) it sits for about 15 minutes saying
> > > 'Loading DNS Server' which it never used to do.
> > >
> > > Thanks,
> > >
> > > SW
> > >
> > >
> > >
> > > -------------------------------------------------
> > >         WPPi.com        |        WPPi.Net
> > > -------------------------------------------------
> > >   http://www.wppi.com   |  http://www.wppi.net
> > > -------------------------------------------------
> > > WPPi.com & WPPi.Net MailScanner Signature
> > > This message has been scanned for viruses
> > > and dangerous content by WPPi MailScanner,
> > > and has been found to be clean.
> > > -------------------------------------------------
> >
> >
> > K B Hariharan
> > Scientis 'B'
> > WAN/Internet Div
> > NIC HQ
> > New Delhi
> > E-mail : kbh at hub.nic.in
> >
> >
> >
> >
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
> 
> 
> -------------------------------------------------
>         WPPi.com        |        WPPi.Net
> -------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
> 
> 
> 
> 
> -------------------------------------------------
>         WPPi.com        |        WPPi.Net
> -------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org


More information about the bind-users mailing list