Thank both of you.
Kevin, you're right. We have a Checkpoint firewall which is configured to do
some kind of DNS
protections using SmartDefense; it is called protocol enforcement and can be
UDP or TCP. We have
UDP protection enabled; its description is the following one (Copy&paste from
checkpoint):
-------------------------
Attack Description:
DNS protocol is used to identify servers according to their IP addresses and
aliases. DNS protocol messages can be transported over TCP or UDP.
To infect a network with malicious content, attackers attempt to change the
content of a DNS packet sent over TCP or UDP with the hope that it will enter
the network undetected.
SmartDefense Protection:
SmartDefense is able to recognize a DNS packet that has been altered. This
ability enables SmartDefense to catch potentially harmful packets before they
enter the network.
SmartDefense enables a system administrator to enforce TCP and UDP protocols.
Only pure DNS packets sent over TCP or UDP will be able to enter the network.
In this case, all DNS port connections over UDP and TCP will be monitored to
verify that every DNS packet attempting to enter the network has not been
altered.
With the enforcement of the UDP and TCP protocols the potential for maliciously
altered DNS packets to enter the system is decreased.
A monitor-only mode makes it possible to track unauthorized traffic without
blocking it.
-----------------------
If I disable this protection the .org resolution works fine!! So, that is the
case, firewall is
dropping the packets with these DNSSEC staff in them.
Jeremy, I've enabled DNS protection in our firewall and I've carried out the
tests you say:
With dnssec enabled:
[r...@dnsint01 bin]# ./dig +cd www.madrid.org @10.20.29.22
; <<>> DiG 9.6.0-P1 <<>> +cd www.madrid.org @10.20.29.22
;; global options: +cmd
;; connection timed out; no servers could be reached
[r...@dnsint bin]#
and in named.logs:
03-Jun-2009 20:03:03.826 network unreachable resolving 'www.madrid.org/A/IN':
2001:500:c::1#53
03-Jun-2009 20:03:13.875 unexpected RCODE (SERVFAIL) resolving
'www.madrid.org/A/IN': 199.249.112.1#53
After using command "dnssec-enable no;" in option section in named.conf:
[r...@dnsint01 bin]# ./dig +cd www.madrid.org @10.20.29.22
; <<>> DiG 9.6.0-P1 <<>> +cd www.madrid.org @10.20.29.22
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17343
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 9, ADDITIONAL: 0
;; QUESTION SECTION:
;www.madrid.org. IN A
;; ANSWER SECTION:
www.madrid.org. 1800 IN CNAME www.madrid.org.edgesuite.net.
www.madrid.org.edgesuite.net. 21600 IN CNAME a621.b.akamai.net.
a621.b.akamai.net. 20 IN CNAME
a621.b.akamai.net.0.1.cn.akamait
ech.net.
a621.b.akamai.net.0.1.cn.akamaitech.net. 20 IN A 80.157.169.10
a621.b.akamai.net.0.1.cn.akamaitech.net. 20 IN A 80.157.169.19
;; AUTHORITY SECTION:
cn.akamaitech.net. 1799 IN NS n4cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n1cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n0cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n2cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n7cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n6cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n5cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n8cn.akamaitech.net.
cn.akamaitech.net. 1799 IN NS n3cn.akamaitech.net.
;; Query time: 4079 msec
;; SERVER: 10.20.29.22#53(10.20.29.22)
;; WHEN: Wed Jun 3 20:08:36 2009
;; MSG SIZE rcvd: 355
[r...@dnsint01 bin]#
and in named.log:
03-Jun-2009 20:04:17.251 network unreachable resolving 'www.madrid.org/A/IN':
2001:500:40::1#53
03-Jun-2009 20:04:18.494 network unreachable resolving 'www.madrid.org/A/IN':
2001:500:b::1#53
03-Jun-2009 20:04:19.805 network unreachable resolving 'www.madrid.org/A/IN':
2001:500:48::1#53
03-Jun-2009 20:04:19.805 network unreachable resolving 'www.madrid.org/A/IN':
2001:500:f::1#53
03-Jun-2009 20:04:21.344 network unreachable resolving 'www.madrid.org/A/IN':
2001:500:e::1#53
03-Jun-2009 20:04:22.704 network unreachable resolving 'www.madrid.org/A/IN':
2001:500:c::1#53
03-Jun-2009 20:04:22.776 success resolving 'www.madrid.org/A' (in
'madrid.org'?) after disabling EDNS
Note: I've realized that the kind of messages "network unreachable resolving"
are very usual in the named logs.
Note: The same behaviour with other .org domains.
Thank you.
> Date: Wed, 3 Jun 2009 12:18:28 -0500
> From: jr...@isc.org
> To: cut...@hotmail.com
> CC: bind-users@lists.isc.org
> Subject: Re: Problem with .org domain resolution
>
> On Wed, 3 Jun 2009, Kevin Darcy wrote:
>
> > Kevin Darcy wrote:
> > > Since .org was recently DNSSEC-signed
> > > (http://www.afilias.info/afilias+signs+org+zone), my guess would be that
> > > you
> > > have a firewall, an intrusion-prevention device, or somesuch, that is
> > > dropping the packets because it doesn't understand the DNSSEC records
> > > contained in them.
>
> (Ignoring the "never mind" ...)
>
> That might be the case. 9.6 has DNSSEC validation enabled by default so
> the corresponding DNSSEC records and signatures may be sent back
> regardless if the label requested is signed or not. Such as the NSEC3
> (TYPE50) and RRSIGs in the AUTHORITY section.
>
> Juan:
>
> Please use dig instead.
>
> Please try with DNSSEC checking disabled, for example:
>
> dig +cd www.mirrorservice.org @10.20.29.22
>
> dig +cd www.madrid.org @10.20.29.22
>
> dig +cd www.wikipedia.org @10.20.29.22
>
> Please look at your BIND logging. (Maybe search for "error".)
_________________________________________________________________
Nuevo Windows Live, un mundo lleno de posibilidades. Descúbrelo.
http://www.microsoft.com/windows/windowslive/default.aspx
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users