Strange problem with a query deleting a record...
Kevin Darcy
kcd at chrysler.com
Fri Aug 23 15:19:29 UTC 2013
On 8/22/2013 12:55 PM, johnh at primebuchholz.com wrote:
> Greetings All,
>
> First of all, I apologize if this is out of place - I'm having a very
> strange issue that is either a problem with bind itself, or at least,
> affecting it. Summary:
>
> For only ONE address, whenever I attempt to access it through my squid
> proxy, the record disappears from DNS, and the retry time changes too.
> Essentially, accessing www.thisdomain.com works, but a link to a portal on
> that page to the subdomain login.thisdomain.com causes the problem. I'm
> willing to bet the problem lies with squid, but as to how it could
> possibly change a record in bind... Well, I'm stumped. If you don't go
> through squid, everything works. All other requests to bind for the
> address of the host in question work fine. Here's a the output of dig from
> before accessing the page through squid:
>
> ; <<>> DiG 9.4.1-P1 <<>> login.thisdomain.com
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45037
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;login.thisdomain.com. IN A
>
> ;; ANSWER SECTION:
> login.thisdomain.com. 17 IN A 111.222.333.123
>
> ;; AUTHORITY SECTION:
> thisdomain.com. 168319 IN NS ns1.thisdomain.com.
> thisdomain.com. 168319 IN NS ns2.thisdomain.com.
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Aug 22 12:29:57 2013
> ;; MSG SIZE rcvd: 88
>
> You can do anything to request the address from bind and it works,
> *except* try to access it through squid. Bypassing squid and going
> directly through the firewall works fine.
>
> Now, immediately after you try to access it through squid:
>
> ; <<>> DiG 9.4.1-P1 <<>> login.thisdomain.com
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43943
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;login.thisdomain.com. IN A
>
> ;; AUTHORITY SECTION:
> thisdomain.com. 298 IN SOA ns1.thisdomain.com.
> serv.anotherdomain.com. 2006062510 3600 3600 2592000 300
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Aug 22 12:30:06 2013
> ;; MSG SIZE rcvd: 95
>
> After the 5-minute retry shown above expires, the original record
> reappears.
>
> Ideas? I'm stumped. It seems like squid is somehow able to corrupt
> bind's info, but I can't imagine how.
I have a theory. If this is a name that's hosted on a stupid
load-balancer, and that load-balancer doesn't understand non-A-record
query types, then if Squid is sending a non-A query type (e.g. SRV,
possibly even AAAA, if it's *really* stupid), then the load-balancer may
be erroneously "poisoning" your cache with an NXDOMAIN response.
We ran into this many years ago with Cisco GSSes (Global Site Selectors)
and work around it by having a "shadow" version of the zone, which the
GSSes proxy to for QTYPEs they don't handle. That "shadow" version of
the zone has a wildcard entry in it which forces responses to be NODATA
instead of NXDOMAIN, and this prevents the cache poisoning.
- Kevin
More information about the bind-users
mailing list