Intouch DNS loops keeps dns servers busy
Shadow Hawkins on Wednesday, 07 April 2004 20:36:16
Hi,
My nameservers keep trying to resolve intouch addresses with no good result.
ard@asus1:~$ whois intouch.net | grep NS\. Registrar: NETWORK SOLUTIONS, INC. Name Server: NS01.INTOUCH.NET Name Server: NS.INTOUCH.NL Name Server: NS.INTOUCH.NET NS.INTOUCH.NL 212.19.192.1 NS.INTOUCH.NET 212.26.192.1 NS01.INTOUCH.NET 212.19.195.4
So this means I can use any of these 3 ips to resolve the AAAA record:
ard@asus1:~$ dig @212.19.195.4 ns01.intouch.net aaaa ; <<>> DiG 9.2.3 <<>> @212.19.195.4 ns01.intouch.net aaaa ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19322 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ns01.intouch.net. IN AAAA ;; ANSWER SECTION: ns01.intouch.net. 3600 IN CNAME blade230.intouch.net. blade230.intouch.net. 3600 IN CNAME blade230.intouch.net.
This means that the name of the nameserver is actually a cname, and that that again is a cname to itself. At this point the dns is of course completely broken, but that could have been due too a faul configuration.
Then we look further:
ard@asus1:~$ dig @212.19.195.4 ns01.intouch.net a ; <<>> DiG 9.2.3 <<>> @212.19.195.4 ns01.intouch.net a ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53620 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ns01.intouch.net. IN A ;; ANSWER SECTION: ns01.intouch.net. 3600 IN A 212.19.195.4 ;; Query time: 24 msec ;; SERVER: 212.19.195.4#53(212.19.195.4) ;; WHEN: Wed Apr 7 19:47:00 2004 ;; MSG SIZE rcvd: 50
In the first request we learned that it was a CNAME, and in the second request it is actually not a CNAME, which is as far as I know not possible. It should be a CNAME (in case of a nameserver IP address lookup I find that very bad) or it should not be a CNAME, not both.
Anyway, my nameserver for internal use (bind8) tries hard to get any ip address for the nameserver of intouch (that means it will try ipv6 first). This costs me about 26kBytes/s continuos dns traffic. Since this is a very standard setup, I guess a lot of others will experience this too. Anyway, I will upgrade my nameserver to bind9 or so.
But does anyone have a clue what is really the right solution? Clearly the answers of the intouch nameservers are completely wrong, but what should be the correct action of my nameserver? The thing is that the nameservers have no authority for the A or the AAAA records of the complete intouch.(net|nl) domain, so I guess this is why my nameserver tries so hard. (It has authority for the soa).
F.i.: This is a correct reply:
avb@nerdcentral:~$ dig @ns1.kwaak.net ns1.kwaak.net aaaa
; <<>> DiG 9.2.3 <<>> @ns1.kwaak.net ns1.kwaak.net aaaa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24091
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ns1.kwaak.net. IN AAAA
;; AUTHORITY SECTION:
kwaak.net. 259200 IN SOA ns1.kwaak.net. root.kwaak.net. 2004032900 86400 3600 604800 259200
;; Query time: 19 msec
;; SERVER: 62.251.26.171#53(ns1.kwaak.net)
;; WHEN: Wed Apr 7 20:33:13 2004
;; MSG SIZE rcvd: 72
It clearly states: ANSWER:0, AUTHORITY:1, whereas the intouch nameservers states: ANSWER:n, AUTHORITY:0
Hmmm, I think I will write intouch an e-mail...
Their nameservers are really getting slow...
Intouch DNS loops keeps dns servers busy
Jeroen Massar on Thursday, 08 April 2004 09:50:27
And what has this to do with SixXS? :)
Posting is only allowed when you are logged in. |