bind-users Digest, Vol 1727, Issue 1
Mukund Sivaraman
muks at isc.org
Mon Jul 4 11:41:04 UTC 2016
Hi Amit
On Mon, Jul 04, 2016 at 04:32:07PM +0530, Amit Kumar Gupta wrote:
> Dear All,
>
> We are Tier 2 ISP in Delhi. Our subscribers are not able to open dropbox.com using our DNS IPs.
> BIND version is 9.8.0.
>
> Regards
> Manager(Internet-Systems)
> MTNL Delhi
As an internet user, I'd expect my ISP to be using current versions of
software that are not vulnerable or buggy. BIND 9.8.0 is an ancient
version of BIND. BIND 9.8.x release branch reached its end of life in
September 2014. BIND 9.8.0 is much older than that (released in February
2011).
https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html
As you appear to be the manager of internet systems at your organization
from your signature, is it not your responsiblity to use recent versions
of software that have not reached their end of life?
For your resolution problem, I'd recommend that you start by:
1. Upgrading to a current version of BIND.
2. Looking at named log output to see what happens when you're trying to
resolve the domain.
> bash-3.2# dig dropbox.com 203.94.243.70
I assume 203.94.243.70 is the IP of the resolver that you're trying to
use. In this case, this is not the correct syntax. Use:
dig dropbox.com @203.94.243.70
> ; <<>> DiG 9.6-ESV-R4-P2 <<>> dropbox.com 203.94.243.70
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
This error means that a nameserver(/resolver) could not be reached.
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40790
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;203.94.243.70. IN A
As you can see, due to the incorrect syntax, it's attempting to resolve
the address record of the name "203.94.243.70." which is probably not
what you want.
Please start by upgrading your systems (resolvers) to use a current
version of BIND. Check that the client has a working route to the
resolver. Check the log output of named for information on whether it is
receiving client queries and any messages it logs about why the
resolution is failing.
As manager of internet systems at your organization, check and see if
any other software that you are using is way past its end of life.
Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160704/1f4bcfbb/attachment-0001.bin>
More information about the bind-users
mailing list