Help with unresolvable domain (subdomain, actually)
Shaoquan Lin
lin at ccny.cuny.edu
Tue Mar 1 21:48:26 UTC 2011
I was not able to resolve first and got the the same result as you got:
$ dig +trace tools.cisco.com
; <<>> DiG 9.6.1-P3 <<>> +trace tools.cisco.com
;; global options: +cmd
. 63808 IN NS a.root-servers.net.
. 63808 IN NS l.root-servers.net.
. 63808 IN NS d.root-servers.net.
. 63808 IN NS b.root-servers.net.
. 63808 IN NS m.root-servers.net.
. 63808 IN NS e.root-servers.net.
. 63808 IN NS h.root-servers.net.
. 63808 IN NS g.root-servers.net.
. 63808 IN NS c.root-servers.net.
. 63808 IN NS f.root-servers.net.
. 63808 IN NS k.root-servers.net.
. 63808 IN NS j.root-servers.net.
. 63808 IN NS i.root-servers.net.
;; Received 460 bytes from 134.74.14.2#53(134.74.14.2) in 8 ms
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
;; Received 493 bytes from 192.5.5.241#53(f.root-servers.net) in 77 ms
cisco.com. 172800 IN NS ns1.cisco.com.
cisco.com. 172800 IN NS ns2.cisco.com.
;; Received 101 bytes from 192.43.172.30#53(i.gtld-servers.net) in 79 ms
tools.cisco.com. 86400 IN NS sjck-dmz-gss1.cisco.com.
tools.cisco.com. 86400 IN NS rtp5-dmz-gss1.cisco.com.
tools.cisco.com. 86400 IN NS
rcdn9-14p-dcz05n-gss1.cisco.com.
tools.cisco.com. 86400 IN NS
cax01-bb14-dcz01n-gss1.cisco.com.
;; Received 226 bytes from 128.107.241.185#53(ns1.cisco.com) in 80 ms
;; Received 33 bytes from
173.37.144.100#53(cax01-bb14-dcz01n-gss1.cisco.com) in 45 ms
But a few minutes later without any change on my site, I was able to
solve it:
$ host tools.cisco.com.
tools.cisco.com has address 128.107.242.16
$ dig +trace tools.cisco.com
; <<>> DiG 9.6.1-P3 <<>> +trace tools.cisco.com
;; global options: +cmd
. 63242 IN NS l.root-servers.net.
. 63242 IN NS m.root-servers.net.
. 63242 IN NS f.root-servers.net.
. 63242 IN NS k.root-servers.net.
. 63242 IN NS j.root-servers.net.
. 63242 IN NS d.root-servers.net.
. 63242 IN NS g.root-servers.net.
. 63242 IN NS h.root-servers.net.
. 63242 IN NS i.root-servers.net.
. 63242 IN NS e.root-servers.net.
. 63242 IN NS c.root-servers.net.
. 63242 IN NS a.root-servers.net.
. 63242 IN NS b.root-servers.net.
;; Received 488 bytes from 134.74.14.2#53(134.74.14.2) in 7 ms
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
;; Received 505 bytes from 198.41.0.4#53(a.root-servers.net) in 13 ms
cisco.com. 172800 IN NS ns1.cisco.com.
cisco.com. 172800 IN NS ns2.cisco.com.
;; Received 101 bytes from 192.35.51.30#53(f.gtld-servers.net) in 104 ms
tools.cisco.com. 86400 IN NS
rcdn9-14p-dcz05n-gss1.cisco.com.
tools.cisco.com. 86400 IN NS rtp5-dmz-gss1.cisco.com.
tools.cisco.com. 86400 IN NS
cax01-bb14-dcz01n-gss1.cisco.com.
tools.cisco.com. 86400 IN NS sjck-dmz-gss1.cisco.com.
;; Received 226 bytes from 64.102.255.44#53(ns2.cisco.com) in 27 ms
tools.cisco.com. 20 IN A 128.107.242.16
;; Received 49 bytes from 64.102.246.5#53(rtp5-dmz-gss1.cisco.com) in 32 ms
You might be able to reolve it now too.
--
Shaoquan Lin, Computer Systems Manager
School of Engineering, City College of New York
Phone: (212) 650 6762 Fax: (212) 650 5768
E-mail: lin at ccny.cuny.edu
----- Original Message -----
From: "Mike Bernhardt" <bernhardt at bart.gov>
To: <bind-users at lists.isc.org>
Sent: Tuesday, March 01, 2011 3:39 PM
Subject: Help with unresolvable domain (subdomain, actually)
> For some reason, we can no longer resolve tools.cisco.com. there are
> several
> clues to the problem but I can't put them together. Here is some dig
> output.
> I know that the time stamps don't all match up below, but the results are
> typical:
>
> [root at ns1 ~]# dig +trace -b 148.165.3.10 tools.cisco.com
>
> ; <<>> DiG 9.4.3-P3 <<>> +trace -b 148.165.3.10 tools.cisco.com
> ;; global options: printcmd
> . 90550 IN NS i.root-servers.net.
> . 90550 IN NS h.root-servers.net.
> . 90550 IN NS e.root-servers.net.
> . 90550 IN NS d.root-servers.net.
> . 90550 IN NS j.root-servers.net.
> . 90550 IN NS k.root-servers.net.
> . 90550 IN NS l.root-servers.net.
> . 90550 IN NS g.root-servers.net.
> . 90550 IN NS f.root-servers.net.
> . 90550 IN NS a.root-servers.net.
> . 90550 IN NS m.root-servers.net.
> . 90550 IN NS c.root-servers.net.
> . 90550 IN NS b.root-servers.net.
> ;; Received 512 bytes from 148.165.3.10#53(148.165.3.10) in 0 ms
>
> com. 172800 IN NS l.gtld-servers.net.
> com. 172800 IN NS e.gtld-servers.net.
> com. 172800 IN NS k.gtld-servers.net.
> com. 172800 IN NS i.gtld-servers.net.
> com. 172800 IN NS m.gtld-servers.net.
> com. 172800 IN NS j.gtld-servers.net.
> com. 172800 IN NS a.gtld-servers.net.
> com. 172800 IN NS g.gtld-servers.net.
> com. 172800 IN NS c.gtld-servers.net.
> com. 172800 IN NS f.gtld-servers.net.
> com. 172800 IN NS b.gtld-servers.net.
> com. 172800 IN NS d.gtld-servers.net.
> com. 172800 IN NS h.gtld-servers.net.
> ;; Received 505 bytes from 198.41.0.4#53(a.root-servers.net) in 13 ms
>
> cisco.com. 172800 IN NS ns1.cisco.com.
> cisco.com. 172800 IN NS ns2.cisco.com.
> ;; Received 101 bytes from 192.54.112.30#53(h.gtld-servers.net) in 154 ms
>
> tools.cisco.com. 86400 IN NS
> rcdn9-14p-dcz05n-gss1.cisco.com.
> tools.cisco.com. 86400 IN NS rtp5-dmz-gss1.cisco.com.
> tools.cisco.com. 86400 IN NS sjck-dmz-gss1.cisco.com.
> tools.cisco.com. 86400 IN NS
> cax01-bb14-dcz01n-gss1.cisco.com.
> ;; Received 226 bytes from 64.102.255.44#53(ns2.cisco.com) in 75 ms
>
> ;; Received 33 bytes from 72.163.4.28#53(rcdn9-14p-dcz05n-gss1.cisco.com)
> in
> 47 ms
>
> Now, focusing in on rtp5-dmz-gss1.cisco.com for further analysis (just
> picked it out of the group):
> [root at ns1 ~]# dig -b 148.165.3.10 @rtp5-dmz-gss1.cisco.com tools.cisco.com
>
> ; <<>> DiG 9.4.3-P3 <<>> -b 148.165.3.10 @rtp5-dmz-gss1.cisco.com
> tools.cisco.com
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5165
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;tools.cisco.com. IN A
>
> ;; Query time: 75 msec
> ;; SERVER: 64.102.246.5#53(64.102.246.5)
> ;; WHEN: Tue Mar 1 12:22:57 2011
> ;; MSG SIZE rcvd: 33
>
>
> Here is the output of tcpdump on my server, querying the same server via
> nslookup elsewhere:
> [root at ns1 ~]# tcpdump host -i bond0 64.102.246.5 -n -p -vvv
> tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 96
> bytes
> 12:14:53.373614 IP (tos 0x0, ttl 64, id 45237, offset 0, flags [none],
> proto: UDP (17), length: 61) 148.165.3.10.18673 > 64.102.246.5.domain:
> [bad
> udp cksum a78b!] 26095 A? tools.cisco.com. (33)
> 12:14:53.455684 IP (tos 0x0, ttl 54, id 7623, offset 0, flags [DF],
> proto:
> UDP (17), length: 61) 64.102.246.5.domain > 148.165.3.10.18673: [udp sum
> ok]
> 26095 ServFail- q: A? tools.cisco.com. 0/0/0 (33)
>
> Lastly, I see on our firewall log that we have a Checkpoint Smart Defense
> log entry due to it's belief that Cisco is sending us a malformed query
> packet, and it's being dropped. I don't know why they're sending the query
> in the first place.
> Number: 2595791
> Date: 1Mar2011
> Time: 12:22:53
> Type: Log
> Action: Drop
> Service: domain-udp (53)
> Source Port: domain-udp
> Source: rtp5-dmz-gss1.cisco.com
> Destination: ns
> Protocol: udp
> Information: Packet info: Packet data size: 28
> Attack: Malformed Packet
> Attack Information: UDP length error
>
>
> Any ideas as to where the problem lies so I can pursue it further?
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list