bind 9.2.1 "partial cache dump"?

Jon Lewis jlewis at lewis.org
Wed Jun 7 20:49:27 UTC 2006 

Is there any known issue that could cause bind (Red Hat's 9.2.1-9) acting 
as a caching DNS server to use an NS for a domain that's not listed as an 
NS, and not "known" as an NS in the cache?...or at least that doesn't show 
up in a cache dump?

Tired of receiving spam from a particular spammer who sends through 
proxies and uses an ever growing list of domains (both in the envelope and 
message body) that always use the same NS, I null routed the network 
containing their NS.  The idea being, that should cause their spam to be 
refused with something like 451 DNS temporary failure (#4.3.0).

So, I was somewhat surprised when I got multiple spams from them yesterday 
from domains with NS's I'd already null routed.  tcpdump on our bind 
caching server showed that when I asked it for mx parlay6.net (the 
envelope from domain in one spam), the caching server would ask a 
gtld-server for the mx.  The gtld-server would respond with the expected 
NS records. Both NS's (which are actually the same IP, 65.246.161.71) are 
unreachable (null routed).  Instead of giving up though after getting no 
reply from 65.246.161.71, our cache would then ask 69.59.130.98 for the 
MX.  69.59.130.98 appears to be some kind of stealth NS and is 
authoratative for parlay6.net.  The odd part is, it doesn't show up in a 
named_dump.db I got from rndc dump_db on our cache.

The cache dump I did contains the following records for parlay6.net:

; authauthority
parlay6.NET.            176     NS      ns1.parlay6.net.
                         176     NS      ns2.parlay6.net.
; authanswer
                         176     MX      10 mx.parlay6.net.
; authanswer
cin4pk6rqil6czi4hq.parlay6.NET. 335 A   210.114.232.53
; additional
mx.parlay6.NET.         176     A       65.246.161.71
; glue
ns1.parlay6.NET.        172535  A       65.246.161.71
; glue
ns2.parlay6.NET.        172535  A       65.246.161.71

Why would bind repeatadly (after records expired from the cache) ask 
69.59.130.98 for records for parlay6.net, if it doesn't show up as a 
parlay6.net NS in the cache dump?

After obtaining the dump, I restarted bind, and this behavior ceased.

It's conceivable that some parlay6.net records were cached before the null 
route was in place.  It's quite possible that the spammer alters what they 
return as NS's for the domain during a spam run.  The only thing I don't 
get, is how bind could be using 69.59.130.98 as an NS for parlay6.net, but 
not have that NS show up in the cache dump.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the bind-users mailing list