Intermittent NXDOMAIN, (possibly) Bind or PowerDNS problem?

Ian B porjo38 at yahoo.com.au
Mon Feb 8 01:19:47 UTC 2010


The Bigpond nameserver server would now appear to be returning 'correct' data for the 'authority section'. Dig to my recursor gives:

$  dig dreamteam.afl.com.au

; <<>> DiG 9.3.4-P1 <<>> dreamteam.afl.com.au
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24819
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dreamteam.afl.com.au.		IN	A

;; ANSWER SECTION:
dreamteam.afl.com.au.	14	IN	CNAME	afl.virtualsports.com.au.
afl.virtualsports.com.au. 2997	IN	A	174.120.186.226
afl.virtualsports.com.au. 2997	IN	A	174.120.187.106
afl.virtualsports.com.au. 2997	IN	A	174.120.186.242
afl.virtualsports.com.au. 2997	IN	A	174.120.186.250
afl.virtualsports.com.au. 2997	IN	A	174.120.187.114
afl.virtualsports.com.au. 2997	IN	A	174.120.187.122
afl.virtualsports.com.au. 2997	IN	A	174.120.187.138
afl.virtualsports.com.au. 2997	IN	A	174.120.187.146
afl.virtualsports.com.au. 2997	IN	A	174.120.186.218
afl.virtualsports.com.au. 2997	IN	A	174.120.186.234
afl.virtualsports.com.au. 2997	IN	A	174.120.187.10
afl.virtualsports.com.au. 2997	IN	A	174.120.187.130

;; Query time: 1 msec
;; SERVER: 203.161.127.1#53(203.161.127.1)
;; WHEN: Mon Feb  8 09:15:24 2010
;; MSG SIZE  rcvd: 262



Dig off the authoratative nameserver for afl.com.au:

$ dig dreamteam.afl.com.au @ns1bpc.bigpond.com

; <<>> DiG 9.6.1-P2 <<>> dreamteam.afl.com.au @ns2bpc.bigpond.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33750
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;dreamteam.afl.com.au.		IN	A

;; ANSWER SECTION:
dreamteam.afl.com.au.	30	IN	CNAME	afl.virtualsports.com.au.

;; AUTHORITY SECTION:
.			518400	IN	NS	E.ROOT-SERVERS.NET.
.			518400	IN	NS	F.ROOT-SERVERS.NET.
.			518400	IN	NS	G.ROOT-SERVERS.NET.
.			518400	IN	NS	H.ROOT-SERVERS.NET.
.			518400	IN	NS	I.ROOT-SERVERS.NET.
.			518400	IN	NS	J.ROOT-SERVERS.NET.
.			518400	IN	NS	K.ROOT-SERVERS.NET.
.			518400	IN	NS	L.ROOT-SERVERS.NET.
.			518400	IN	NS	M.ROOT-SERVERS.NET.
.			518400	IN	NS	A.ROOT-SERVERS.NET.
.			518400	IN	NS	B.ROOT-SERVERS.NET.
.			518400	IN	NS	C.ROOT-SERVERS.NET.
.			518400	IN	NS	D.ROOT-SERVERS.NET.

;; Query time: 53 msec
;; SERVER: 61.9.170.18#53(61.9.170.18)
;; WHEN: Mon Feb  8 08:57:31 2010
;; MSG SIZE  rcvd: 281


Ian.

--- On Fri, 5/2/10, Mark Andrews <marka at isc.org> wrote:

> From: Mark Andrews <marka at isc.org>
> Subject: Re: Intermittent NXDOMAIN, (possibly) Bind or PowerDNS problem?
> To: "Ian B" <porjo38 at yahoo.com.au>
> Cc: bind-users at lists.isc.org
> Received: Friday, 5 February, 2010, 2:47 PM
> 
> In message <260066.10841.qm at web63105.mail.re1.yahoo.com>,
> Ian B writes:
> > Hi All,
> > 
> > I found a post on this list from July 2009 with the
> subject:
> > "Intermittent NXDOMAIN, Bind 9.2.3 config and PowerDNS
> problem?"
> > 
> > https://lists.isc.org/pipermail/bind-users/2009-July/077045.html
> > 
> > I'm having exactly the same issue but with hostname
> dreamteam.afl.com.au
> > 
> > A sample dig is as follows:
> > 
> > $ dig dreamteam.afl.com.au 
> > 
> > ; <<>> DiG 9.3.4-P1 <<>>
> dreamteam.afl.com.au
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status:
> NXDOMAIN, id: 22236
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1,
> ADDITIONAL: 0
> > 
> > ;; QUESTION SECTION:
> > ;dreamteam.afl.com.au.   
>     IN    A
> > 
> > ;; ANSWER SECTION:
> > dreamteam.afl.com.au.   
> 30    IN   
> CNAME    afl.virtualsports.com.au.
> > 
> > ;; AUTHORITY SECTION:
> > com.au.       
>     60    IN   
> SOA    stl-bpc-gslb1500-1.bigp
> > ond.com. hostmaster.stl-bpc-gslb1500-1.bigpond.com. 4
> 10800 3600 604800 60
> > 
> > ;; Query time: 53 msec
> > ;; SERVER: 203.161.127.1#53(203.161.127.1)
> > ;; WHEN: Fri Feb  5 11:29:24 2010
> > ;; MSG SIZE  rcvd: 147
> > 
> > 
> > My understanding of the issue is that the
> authoritative nameserver for dreamt
> > eam.afl.com.au is returning the incorrect data in the
> 'AUTHORITY SECTION' cau
> > sing PowerDNS to act unpredictably. Other DNS
> recursors may not have an issue
> > with this, as they overlook the error. Is that a
> correct understanding?
> 
> It looks like the two bigpond servers have been configured
> to serve
> a unofficial version of COM.AU.  Normal query
> processing then causes
> the servers to find the unofficial version of COM.AU and
> return
> NXDOMAIN rather than a referral as they should.  This
> is hard to
> avoid unless the normal query process rules are changed to
> not
> re-start the query after following a CNAME for a
> non-recursive query
> or only follow a CNAME if the target is in the same zone as
> the
> owner of the CNAME.
> 
> The incorrect answer is then accepted and the cache is
> poisoned.
> 
> One would think however that Telstra would have locked
> COM.AU out
> in the automatic provisioning systems for these servers as
> adding
> it can only be for nefarious purposes.  Similarly any
> other
> infrastucture zones.
> 
> Mark
> 
> > Thanks,
> > Ian.
> > 
> > 
> >   
>    _______________________________________________________________________
> > ___________
> > Yahoo!7: Catch-up on your favourite Channel 7 TV shows
> easily, legally, and f
> > or free at PLUS7. www.tv.yahoo.com.au/plus7
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742         
>        INTERNET: marka at isc.org
> 


      __________________________________________________________________________________
Yahoo!7: Catch-up on your favourite Channel 7 TV shows easily, legally, and for free at PLUS7. www.tv.yahoo.com.au/plus7



More information about the bind-users mailing list