Unexpected queries
Mark Andrews
Mark_Andrews at isc.org
Mon Dec 5 23:25:36 UTC 2005
> Mark Andrews wrote:
>
> >>Mark Andrews wrote:
> >>
> >>
> >>
> >>>>-----BEGIN PGP SIGNED MESSAGE-----
> >>>>Hash: SHA1
> >>>>
> >>>>Currently running bind-9.3.1
> >>>>
> >>>>When examining logs of DNS queries, I notice
> >>>>
> >>>>Dec 4 07:30:43 mp named[212]: client 99.99.99.99#33040: query: huskiesde
> n.
> >>>>
> >>>>
> >>ni
> >>
> >>
> >>>>u.edu IN A -E
> >>>>Dec 4 07:30:43 mp named[212]: client 99.99.99.99#33040: query (cache) 'h
> us
> >>>>
> >>>>
> >>ki
> >>
> >>
> >>>>es-den.com/A/IN' denied
> >>>>
> >>>>The above query IP address was munged to protect the innocent.
> >>>>
> >>>>For the record, the server where this was logged is authoritative for
> >>>>"niu.edu", but not for "com".
> >>>>
> >>>>Off campus queries are restricted to the zones for which we are
> >>>>authoritative, and hence the "denied" for the second of those
> >>>>lookups.
> >>>>
> >>>>The result of looking up huskiesden.niu.edu from off-campus is
> >>>>
> >>>>huskiesden.niu.edu. 86400 IN CNAME huskies-den.com.
> >>>>
> >>>>when made from on-campus, the result is
> >>>>
> >>>>huskiesden.niu.edu. 86400 IN CNAME huskies-den.com.
> >>>>huskies-den.com. 1800 IN A 207.227.157.52
> >>>>
> >>>>Checking for this in yesterday's logs, every lookup of
> >>>>huskiesden.niu.edu was followed by a lookup for huskies-den.com.
> >>>>
> >>>>The total number of lookups is modest, but enough that it is likely
> >>>>that at least some of the lookups were from other bind servers. Most
> >>>>did not respond to a version.bind lookup. Among those that
> >>>>responded, I saw 8.4.6-REL, 9.3.1, 9.2.1, 9.2.3
> >>>>
> >>>>It seems to me that something is awry here. If my server is supposed
> >>>>to provide the info on huskies-den.com along with the CNAME response,
> >>>>then it should do so based on the acl for huskiesden.niu.edu. As
> >>>>long as it fails to provide that record in its initial response, the
> >>>>off-campus DNS servers should not be looking up a "COM." record at
> >>>>our DNS server.
> >>>>
> >>>>-----BEGIN PGP SIGNATURE-----
> >>>>Version: GnuPG v1.4.2 (SunOS)
> >>>>
> >>>>iD8DBQFDlI0svmGe70vHPUMRAnwAAKCoaW6wYpphA92IRC8jrzAwyKktawCePMk7
> >>>>+ot9MSlZOaA7ZN6f7VcUDrc=
> >>>>=PUyd
> >>>>-----END PGP SIGNATURE-----
> >>>>
> >>>>
> >>>>
> >>>>
> >>> When you ask a query that refers to a CNAME you follow that
> >>> CNAME if you can. All the log message was saying is that
> >>> after following the CNAME the new query was refused.
> >>>
> >>> Note this is the sort of answer where the client needs to
> >>> requery after following the CNAME. It looks like a NODATA
> >>> response by isn't.
> >>>
> >>>
> >>>
> >>Mark,
> >> I think the point is: why is the client restarting the query
> >>at the CNAME's authoritative nameserver, instead of looking for the
> >>nameservers of the closest-enclosing zone of the canonical name, as per
> >>the usual iterative-resolution algorithm? I've noticed this behavior
> >>too, and wondered whether it was some sort of "optimization" (e.g. the
> >>CNAME owner seems more likely to get back answer in less steps than
> >>restarting the query ab initio), or just sloppy coding (forgot to reset
> >>who we're querying), or something else. Neil's forensics imply that at
> >>least some of these iterative resolvers are BIND.
> >>
> >>
> >
> > Well when +70% of the worlds iterative resolvers are BIND there
> > is a high probability that some of the queries are from BIND.
> >
> >
> >>
> >> - Kevin
> >>
> >>
> >
> > The query is non-recursive. Named follows the CNAME. Attempts
> > to look in the cache which is denied by ACL, logs the fact that
> > it was denied, then returns the answer.
> >
> Right. No-one is questioning what the authoritative nameserver is
> returning. But why is the client coming right back to the same
> nameserver to query the canonical name, even though it's not in the
> delegation chain for it?
It isn't. You are not reading the logs correctly. The client
is querying for huskiesden.niu.edu.
> Is it an optimization, a coding mistake, or something else?
It's a noisy log message, nothing more.
> This is a question about iterative-resolver behavior, not
> authoritative-nameserver behavior.
No, it is a question about authoritative-nameserver behavior.
> Maybe someone who is familiar with the nuances of BIND 8's and/or
> BIND 9's resolver code can answer the question. I'm just curious.
>
>
> - Kevin
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list