parent dns answers the ARR of child dns

Kevin Darcy kcd at chrysler.com
Thu Dec 3 17:56:38 UTC 2009


Not only that, but DNS.gduf.edu.cn is performing recursion, while not 
setting RA in, and not copying RD into, the header of the response.

% dig www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn

; <<>> DiG 9.3.0 <<>> www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 593
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.smartip.gduf.edu.cn. IN A

;; ANSWER SECTION:
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.3
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.4
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.10

I suspect this is YABDLBD (Yet Another Brain-Damaged Load-Balancer 
Device). Or a defective DNS proxy.

While the cache is populated with these records, even *non-recursive* 
queries will be given this answer directly, instead of a referral. Once 
the records time out, referrals are given again.

But, why do you (the original poster) care? If the caching of these 
records by this server is a problem, surely it's a more *general* 
problem of the records being cached by resolvers everywhere. Either set 
the TTLs accordingly, or abandon whatever plans you have to make the 
responses completely "dynamic", or ordered in any particular way...

DNS isn't, and never was intended to be, a comprehensive load-balancing 
or failover mechanism. Maybe it can become that, if SRV records were 
used as a matter of course, but we haven't achieved that yet. Not by a 
long shot.

Since the addresses all appear to be in the same subnet, you might want 
to look into front-ending them with some sort of dedicated "local" 
load-balancer, either implemented in hardware or software.

- Kevin



Chris Buxton wrote:
> On Dec 3, 2009, at 3:38 AM, Tech W. wrote:
>   
>> # dig smartip.gduf.edu.cn ns +short
>> dtone1.gduf.edu.cn.
>>
>> # dig www.smartip.gduf.edu.cn  +short
>> 121.8.235.88
>>
>> # dig www.smartip.gduf.edu.cn +trace 
>>     
>
> [...]
>
>   
>> www.smartip.gduf.edu.cn. 8      IN      A       218.192.12.4
>> www.smartip.gduf.edu.cn. 8      IN      A       218.192.12.10
>> www.smartip.gduf.edu.cn. 8      IN      A       218.192.12.3
>> ;; Received 89 bytes from 218.192.12.6#53(DNS.gduf.edu.cn) in 106 ms
>>     
>
> DNS.gduf.edu.cn is open to recursive queries from anyone. Is it possible you were seeing a cached answer?
>
> A DNS server that is authoritative for a zone that has subzones that are delegated to other DNS servers should not be performing recursion. Not for anyone. It leads to confusing results.
>
> $ dig www.smartip.gduf.edu.cn +norec @DNS.gduf.edu.cn
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> www.smartip.gduf.edu.cn +norec @DNS.gduf.edu.cn
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22315
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;www.smartip.gduf.edu.cn.	IN	A
>
> ;; AUTHORITY SECTION:
> smartip.gduf.edu.cn.	3600	IN	NS	dtone1.gduf.edu.cn.
>
> ;; ADDITIONAL SECTION:
> dtone1.gduf.edu.cn.	3600	IN	A	218.192.12.233
>
> ;; Query time: 398 msec
> ;; SERVER: 218.192.12.6#53(218.192.12.6)
> ;; WHEN: Thu Dec  3 08:43:50 2009
> ;; MSG SIZE  rcvd: 97
>
> $ dig www.smartip.gduf.edu.cn +norec @dtone1.gduf.edu.cn
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> www.smartip.gduf.edu.cn +norec @dtone1.gduf.edu.cn
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47739
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.smartip.gduf.edu.cn.	IN	A
>
> ;; ANSWER SECTION:
> www.smartip.gduf.edu.cn. 30	IN	A	121.8.235.88
>
> ;; AUTHORITY SECTION:
> smartip.gduf.edu.cn.	3600	IN	NS	dtone1.gduf.edu.cn.
>
> ;; Query time: 396 msec
> ;; SERVER: 218.192.12.233#53(218.192.12.233)
> ;; WHEN: Thu Dec  3 08:44:17 2009
> ;; MSG SIZE  rcvd: 78
>
> Chris Buxton
> Professional Services
> Men & Mice
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>   




More information about the bind-users mailing list