Problem with .org domain resolution

Juan Rodríguez cutrez at hotmail.com
Wed Jun 3 18:20:59 UTC 2009


Thank both of you.

Kevin, you're right. We have a Checkpoint firewall which is configured to do some kind of DNS 
protections using SmartDefense; it is called protocol enforcement and can be UDP or TCP. We have 
UDP protection enabled; its description is the following one (Copy&paste from checkpoint):

-------------------------
Attack Description:  
DNS protocol is used to identify servers according to their IP addresses and aliases. DNS protocol messages can be transported over TCP or UDP. 

To infect a network with malicious content, attackers attempt to change the content of a DNS packet sent over TCP or UDP with the hope that it will enter the network undetected. 
 
SmartDefense Protection:  
SmartDefense is able to recognize a DNS packet that has been altered. This ability enables SmartDefense to catch potentially harmful packets before they enter the network. 

SmartDefense enables a system administrator to enforce TCP and UDP protocols. Only pure DNS packets sent over TCP or UDP will be able to enter the network. In this case, all DNS port connections over UDP and TCP will be monitored to verify that every DNS packet attempting to enter the network has not been altered. 

With the enforcement of the UDP and TCP protocols the potential for maliciously altered DNS packets to enter the system is decreased. 

A monitor-only mode makes it possible to track unauthorized traffic without blocking it. 
-----------------------

If I disable this protection the .org resolution works fine!! So, that is the case, firewall is 
dropping the packets with these DNSSEC staff in them.

Jeremy, I've enabled DNS protection in our firewall and I've carried out the tests you say:

With dnssec enabled:

[root at dnsint01 bin]# ./dig +cd www.madrid.org @10.20.29.22

; <<>> DiG 9.6.0-P1 <<>> +cd www.madrid.org @10.20.29.22
;; global options: +cmd
;; connection timed out; no servers could be reached
[root at dnsint bin]#

and in named.logs:

03-Jun-2009 20:03:03.826 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:c::1#53
03-Jun-2009 20:03:13.875 unexpected RCODE (SERVFAIL) resolving 'www.madrid.org/A/IN': 199.249.112.1#53


After using command "dnssec-enable no;" in option section in named.conf:

[root at dnsint01 bin]# ./dig +cd www.madrid.org @10.20.29.22

; <<>> DiG 9.6.0-P1 <<>> +cd www.madrid.org @10.20.29.22
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17343
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 9, ADDITIONAL: 0

;; QUESTION SECTION:
;www.madrid.org.                        IN      A

;; ANSWER SECTION:
www.madrid.org.         1800    IN      CNAME   www.madrid.org.edgesuite.net.
www.madrid.org.edgesuite.net. 21600 IN  CNAME   a621.b.akamai.net.
a621.b.akamai.net.      20      IN      CNAME   a621.b.akamai.net.0.1.cn.akamait                                                                              ech.net.
a621.b.akamai.net.0.1.cn.akamaitech.net. 20 IN A 80.157.169.10
a621.b.akamai.net.0.1.cn.akamaitech.net. 20 IN A 80.157.169.19

;; AUTHORITY SECTION:
cn.akamaitech.net.      1799    IN      NS      n4cn.akamaitech.net.
cn.akamaitech.net.      1799    IN      NS      n1cn.akamaitech.net.
cn.akamaitech.net.      1799    IN      NS      n0cn.akamaitech.net.
cn.akamaitech.net.      1799    IN      NS      n2cn.akamaitech.net.
cn.akamaitech.net.      1799    IN      NS      n7cn.akamaitech.net.
cn.akamaitech.net.      1799    IN      NS      n6cn.akamaitech.net.
cn.akamaitech.net.      1799    IN      NS      n5cn.akamaitech.net.
cn.akamaitech.net.      1799    IN      NS      n8cn.akamaitech.net.
cn.akamaitech.net.      1799    IN      NS      n3cn.akamaitech.net.

;; Query time: 4079 msec
;; SERVER: 10.20.29.22#53(10.20.29.22)
;; WHEN: Wed Jun  3 20:08:36 2009
;; MSG SIZE  rcvd: 355

[root at dnsint01 bin]#

and in named.log:

03-Jun-2009 20:04:17.251 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:40::1#53
03-Jun-2009 20:04:18.494 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:b::1#53
03-Jun-2009 20:04:19.805 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:48::1#53
03-Jun-2009 20:04:19.805 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:f::1#53
03-Jun-2009 20:04:21.344 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:e::1#53
03-Jun-2009 20:04:22.704 network unreachable resolving 'www.madrid.org/A/IN': 2001:500:c::1#53
03-Jun-2009 20:04:22.776 success resolving 'www.madrid.org/A' (in 'madrid.org'?) after disabling EDNS



Note: I've realized that the kind of messages "network unreachable resolving" are very usual in the named logs.

Note: The same behaviour with other .org domains.

Thank you.


> Date: Wed, 3 Jun 2009 12:18:28 -0500
> From: jreed at isc.org
> To: cutrez at hotmail.com
> CC: bind-users at lists.isc.org
> Subject: Re: Problem with .org domain resolution
> 
> On Wed, 3 Jun 2009, Kevin Darcy wrote:
> 
> > Kevin Darcy wrote:
> > > Since .org was recently DNSSEC-signed
> > > (http://www.afilias.info/afilias+signs+org+zone), my guess would be that you
> > > have a firewall, an intrusion-prevention device, or somesuch, that is
> > > dropping the packets because it doesn't understand the DNSSEC records
> > > contained in them.
> 
> (Ignoring the "never mind" ...)
> 
> That might be the case. 9.6 has DNSSEC validation enabled by default so 
> the corresponding DNSSEC records and signatures may be sent back 
> regardless if the label requested is signed or not. Such as the NSEC3 
> (TYPE50) and RRSIGs in the AUTHORITY section.
> 
> Juan:
> 
> Please use dig instead.
> 
> Please try with DNSSEC checking disabled, for example:
> 
> dig +cd www.mirrorservice.org @10.20.29.22
> 
> dig +cd www.madrid.org @10.20.29.22
> 
> dig +cd www.wikipedia.org @10.20.29.22
> 
> Please look at your BIND logging. (Maybe search for "error".)

_________________________________________________________________
Nuevo Windows Live, un mundo lleno de posibilidades. Descúbrelo.
http://www.microsoft.com/windows/windowslive/default.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090603/d289f945/attachment.html>


More information about the bind-users mailing list