date:20130207

Re: reverse resolution failing

2013-02-07 Thread Mark Andrews


In message , Warren Kumari wri
tes:
> Hmmm
> 
> So, for many years I've wondered this. I've looked a little myself, and 
> spoken to a few folk, but never gotten a really satisfactory answer -- 
> maybe there just isn't one
> 
> You often see freaky things like the above (actually, this one is only 
> somewhat freaky), where nameserver implementation behave in bizarre / 
> insane manners. For many of these it seems as through the NS is simply 
> bored, and misbehaving for entertainment purposes ("Whhheee! I'll reply 
> to all A queries with TXT answers, lets see what they make of that!", or, 
> my favorite, "Whatever folk ask, I'll reply with a cname containing the 
> query name, but with alternate labels swapped...").
> For example, even if I tried (well, without much hacking) I cannot figure 
> out how to duplicate Saturn's behavior
> What is it about the DNS protocol that leads to this? Do folk look at all 
> the existing auth server offerings and decide "No, don't like those, I'll 
> just write my own in haskel!"?
> Or is is simply that nameservers themselves are malicious bastards? Are 
> they all conspiring against us? Is there some very subtle joke that we 
> are not seeing?
> 
> W

They want a load balancer but don't want to pay the money to get a
product that does it correctly so they look around for cheaper
alternatives which often don't cover all of the protocol.

The other thing that is common is the operator can't configure the
load balancer correctly.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse resolution failing

2013-02-07 Thread Warren Kumari

On Feb 7, 2013, at 12:51 PM, Tony Finch  wrote:

> Jim Pazarena  wrote:
>> 
>> while it can resolve "webmail.acrodex.com" ( 139.142.184.10 )
>> it cannot reverse resolve 139.142.184.10
> 
> They are using classless reverse DNS, which is fine except that the
> nameservers for the target zone are very broken.
> 
> 10.184.142.139.in-addr.arpa. CNAME 10.0-25.184.142.139.in-addr.arpa.
> 
> 0-25.184.142.139.in-addr.arpa. NS pluto.acrodex.com.
> 0-25.184.142.139.in-addr.arpa. NS nova.acrodex.com.
> 0-25.184.142.139.in-addr.arpa. NS saturn.acrodex.com.
> 
> Nova does not exist.
> 
> Pluto refuses most questions for 10.0-25.184.142.139.in-addr.arpa except
> if you ask for a PTR, in which case it replies with a bogus question
> section containing 139.0.184.142.in-addr.arpa.
> 
> Saturn works OK for most questions, and returns a PTR record if you ask
> for ANY, but if you request a PTR directly it ignores you.

Hmmm…

So, for many years I've wondered this. I've looked a little myself, and spoken 
to a few folk, but never gotten a really satisfactory answer -- maybe there 
just isn't one…

You often see freaky things like the above (actually, this one is only somewhat 
freaky), where nameserver implementation behave in bizarre / insane manners. 
For many of these it seems as through the NS is simply bored, and misbehaving 
for entertainment purposes ("Whhheee! I'll reply to all A queries with TXT 
answers, lets see what they make of that!", or, my favorite, "Whatever folk 
ask, I'll reply with a cname containing the query name, but with alternate 
labels swapped...…").
For example, even if I tried (well, without much hacking) I cannot figure out 
how to duplicate Saturn's behavior…

What is it about the DNS protocol that leads to this? Do folk look at all the 
existing auth server offerings and decide "No, don't like those, I'll just 
write my own… in haskel!"?
Or is is simply that nameservers themselves are malicious bastards? Are they 
all conspiring against us? Is there some very subtle joke that we are not 
seeing?

W

> 
> Tony.
> -- 
> f.anthony.n.finchhttp://dotat.at/
> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
> Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
> occasionally poor at first.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

--
There were such things as dwarf gods. Dwarfs were not a naturally religious 
species, but in a world where pit props could crack without warning and pockets 
of fire damp could suddenly explode they'd seen the need for gods as the sort 
of supernatural equivalent of a hard hat. Besides, when you hit your thumb with 
an eight-pound hammer it's nice to be able to blaspheme. It takes a very 
special and straong-minded kind of atheist to jump up and down with their hand 
clasped under their other armpit and shout, "Oh, 
random-fluctuations-in-the-space-time-continuum!" or "Aaargh, 
primitive-and-outmoded-concept on a crutch!"
  -- Terry Pratchett

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv6 Only NS

2013-02-07 Thread Kevin Darcy


On 2/7/2013 1:42 PM, Matt wrote:

I am using Bind for caching only.  Currently my VM only has IPv4
access.  Is there a way to selectively forward any requests that only
have IPv6 nameservers to another DNS server that is dual stacked?
Hmmm... Is anyone actually publishing IPv6-accessible nameservers for 
their zone *exclusively*? Really? On the Internet? Can you give an example?


If that's the case, there's nothing I can think of within BIND to 
support IPv6-to-IPv4-forwarding-failover, as you describe.


Be aware that you can talk IPv6 even if you don't have IPv6 present on 
your local LAN or any of your next-hop gateways. Set up an IPv6-in-IPv4 
tunnel to a co-operating dual-stack node, and set your static route(s) 
accordingly (or run a dynamic-routing-protocol daemon on the tunnel, if 
you're really adventurous :-). Of course, this will affect *everything* 
running on your VM, not just DNS.


If, after accomplishing that, you still want to preference (native) IPv4 
access over (tunneled) IPv6 access, hopefully your underlying OS 
respects RFC 6724 source/destination address selection -- in that case, 
you should be able to tweak the "policy table" to accomplish the desired 
preferencing. If it doesn't support RFC 6724, then that's a much more 
difficult challenge...


If not is there a way to forward all requests that are not cached to a
parent nameserver?
Not sure what you're trying to accomplish with that. If you have 
forwarding set up, and the answer to a query isn't cached, you're going 
to forward. If it is cached, you'll answer from cache. So, how does what 
you ask above differ from regular BIND forwarding?

Also, is there a way to specify a backup parent NS
and ONLY use it if primary fails?
Do you mean "NS" here? Or "forwarder"? I know of no way to manually 
"preference" the forwarders in a list, although you might find that the 
forwarder that responds fastest -- and thus gets automatically selected 
for the vast majority of the queries, according to its round-trip-time 
statistics -- is the one you would want to manually preference anyway...


- Kevin

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv6 Only NS

2013-02-07 Thread Mark Andrews


In message 
, Matt writes:
> I am using Bind for caching only.  Currently my VM only has IPv4
> access.  Is there a way to selectively forward any requests that only
> have IPv6 nameservers to another DNS server that is dual stacked?

See dual-stack-servers.
 
> If not is there a way to forward all requests that are not cached to a
> parent nameserver?  Also, is there a way to specify a backup parent NS
> and ONLY use it if primary fails?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse resolution failing

2013-02-07 Thread Mark Andrews


In message <20130207184127.ga23...@fantomas.sk>, Matus UHLAR - fantomas writes:
> >Jim Pazarena  wrote:
> >>
> >> while it can resolve "webmail.acrodex.com" ( 139.142.184.10 )
> >> it cannot reverse resolve 139.142.184.10
> 
> On 07.02.13 17:51, Tony Finch wrote:
> >10.184.142.139.in-addr.arpa. CNAME 10.0-25.184.142.139.in-addr.arpa.
> >
> >0-25.184.142.139.in-addr.arpa. NS pluto.acrodex.com.
> >0-25.184.142.139.in-addr.arpa. NS nova.acrodex.com.
> >0-25.184.142.139.in-addr.arpa. NS saturn.acrodex.com.
> >
> >Nova does not exist.
> >
> >Pluto refuses most questions for 10.0-25.184.142.139.in-addr.arpa except
> >if you ask for a PTR, in which case it replies with a bogus question
> >section containing 139.0.184.142.in-addr.arpa.
> >
> >Saturn works OK for most questions, and returns a PTR record if you ask
> >for ANY, but if you request a PTR directly it ignores you.

It actually returns a response with a mismatching question section.
 
% dig 10.0-25.184.142.139.in-addr.arpa @saturn.acrodex.com +norec ptr
;; Question section mismatch: got 139.0.184.142.in-addr.arpa/PTR/IN
;; Question section mismatch: got 139.0.184.142.in-addr.arpa/PTR/IN
;; Question section mismatch: got 139.0.184.142.in-addr.arpa/PTR/IN

; <<>> DiG 9.10.0pre-alpha <<>> 10.0-25.184.142.139.in-addr.arpa 
@saturn.acrodex.com +norec ptr
;; global options: +cmd
;; connection timed out; no servers could be reached
% 

> some kind of lame DNS "load balancers"?

Looks like it.  Something which intecepts the PTR queries and forwards other
queries onto a full blown server.

Mark
 
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Chernobyl was an Windows 95 beta test site.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

IPv6 Only NS

2013-02-07 Thread Matt

I am using Bind for caching only.  Currently my VM only has IPv4
access.  Is there a way to selectively forward any requests that only
have IPv6 nameservers to another DNS server that is dual stacked?

If not is there a way to forward all requests that are not cached to a
parent nameserver?  Also, is there a way to specify a backup parent NS
and ONLY use it if primary fails?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse resolution failing

2013-02-07 Thread Matus UHLAR - fantomas


Jim Pazarena  wrote:


while it can resolve "webmail.acrodex.com" ( 139.142.184.10 )
it cannot reverse resolve 139.142.184.10


On 07.02.13 17:51, Tony Finch wrote:

10.184.142.139.in-addr.arpa. CNAME 10.0-25.184.142.139.in-addr.arpa.

0-25.184.142.139.in-addr.arpa. NS pluto.acrodex.com.
0-25.184.142.139.in-addr.arpa. NS nova.acrodex.com.
0-25.184.142.139.in-addr.arpa. NS saturn.acrodex.com.

Nova does not exist.

Pluto refuses most questions for 10.0-25.184.142.139.in-addr.arpa except
if you ask for a PTR, in which case it replies with a bogus question
section containing 139.0.184.142.in-addr.arpa.

Saturn works OK for most questions, and returns a PTR record if you ask
for ANY, but if you request a PTR directly it ignores you.


some kind of lame DNS "load balancers"?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse resolution failing

2013-02-07 Thread Rich Goodson

tail end of dig +trace:

142.139.in-addr.arpa.   86400   IN  NS  ns1.clgrab.grouptelecom.net.
142.139.in-addr.arpa.   86400   IN  NS  ns2.toroon.grouptelecom.net.
;; Received 111 bytes from 199.71.0.63#53(199.71.0.63) in 153 ms

10.184.142.139.in-addr.arpa. 86400 IN   CNAME   
10.0-25.184.142.139.in-addr.arpa.
0-25.184.142.139.in-addr.arpa. 86400 IN NS  saturn.acrodex.com.
0-25.184.142.139.in-addr.arpa. 86400 IN NS  pluto.acrodex.com.



Looks like it's been delegated rfc2317-style to saturn.acrodex.com and 
pluto.acrodex.com:

pluto seems to work for direct queries:

ga-vl-mkt2131:~ rgoodson$ dig +norec @pluto.acrodex.com 
10.184.142.139.in-addr.arpa PTR

; <<>> DiG 9.8.3-P1 <<>> +norec @pluto.acrodex.com 10.184.142.139.in-addr.arpa 
PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37966
;; flags: qr ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;10.184.142.139.in-addr.arpa.   IN  PTR

;; ANSWER SECTION:
10.184.142.139.in-addr.arpa. 30459 IN   CNAME   
10.0-25.184.142.139.in-addr.arpa.
10.0-25.184.142.139.in-addr.arpa. 3600 IN PTR   webmail.acrodex.com.

;; Query time: 129 msec
;; SERVER: 139.142.184.4#53(139.142.184.4)
;; WHEN: Thu Feb  7 11:50:33 2013
;; MSG SIZE  rcvd: 100


but I get SERVFAIL from saturn

ga-vl-mkt2131:~ rgoodson$ dig +norec @saturn.acrodex.com 
10.184.142.139.in-addr.arpa PTR

; <<>> DiG 9.8.3-P1 <<>> +norec @saturn.acrodex.com 10.184.142.139.in-addr.arpa 
PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36190
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;10.184.142.139.in-addr.arpa.   IN  PTR

;; Query time: 90 msec
;; SERVER: 204.191.11.5#53(204.191.11.5)
;; WHEN: Thu Feb  7 11:49:48 2013
;; MSG SIZE  rcvd: 45


--
Rich Goodson
Sr. Unix System Administrator
Mediacom Communications
2195 Ingersoll Ave
Des Moines, IA 50312
5-7109 Internal
515/246-2284 Office
515/783-1684 Cell
rgood...@mediacomcc.com
sudo [ $[ $RANDOM % 6 ] == 0 ] && rm -rf / || echo "You live"
--Russian roulette in BASH

On Feb 7, 2013, at 11:38 AM, Sten Carlsen  wrote:

> It does not resolve from my IP, probably there is no reverse entry.
> 
> 
> On 07/02/13 18:31, Jim Pazarena wrote:
>> my named is 9.9.0 
>> 
>> while it can resolve "webmail.acrodex.com" ( 139.142.184.10 ) 
>> 
>> it cannot reverse resolve 139.142.184.10 
>> 
>> (example follows). 
>> However, if I do a simply nslookup using goodle DNS. 
>> nslookup 139.142.184.10 8.8.8.8 
>> IT WORKS! 
>> 
>> Can anyone suggest where I may be going wrong with this? 
>> my "dig" response follows. 
>> Many thanks! 
>> 
>> Jim 
>> 
>> mail# dig -x 139.142.184.10 
>> 
>> ; <<>> DiG 9.9.0 <<>> -x 139.142.184.10 
>> ;; global options: +cmd 
>> ;; Got answer: 
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49017 
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 
>> 
>> ;; OPT PSEUDOSECTION: 
>> ; EDNS: version: 0, flags:; udp: 4096 
>> ;; QUESTION SECTION: 
>> ;10.184.142.139.in-addr.arpa.   IN  PTR 
>> 
>> ;; Query time: 125 msec 
>> ;; SERVER: 207.34.147.93#53(207.34.147.93) 
>> ;; WHEN: Thu Feb  7 09:30:12 2013 
>> ;; MSG SIZE  rcvd: 56 
>> 
>> mail# 
>> ___ 
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list 
>> 
>> bind-users mailing list 
>> bind-users@lists.isc.org 
>> https://lists.isc.org/mailman/listinfo/bind-users 
> 
> -- 
> Best regards
> 
> Sten Carlsen
> 
> No improvements come from shouting:
> 
>"MALE BOVINE MANURE!!!" 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse resolution failing

2013-02-07 Thread Tony Finch

Jim Pazarena  wrote:
>
> while it can resolve "webmail.acrodex.com" ( 139.142.184.10 )
> it cannot reverse resolve 139.142.184.10

They are using classless reverse DNS, which is fine except that the
nameservers for the target zone are very broken.

10.184.142.139.in-addr.arpa. CNAME 10.0-25.184.142.139.in-addr.arpa.

0-25.184.142.139.in-addr.arpa. NS pluto.acrodex.com.
0-25.184.142.139.in-addr.arpa. NS nova.acrodex.com.
0-25.184.142.139.in-addr.arpa. NS saturn.acrodex.com.

Nova does not exist.

Pluto refuses most questions for 10.0-25.184.142.139.in-addr.arpa except
if you ask for a PTR, in which case it replies with a bogus question
section containing 139.0.184.142.in-addr.arpa.

Saturn works OK for most questions, and returns a PTR record if you ask
for ANY, but if you request a PTR directly it ignores you.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse resolution failing

2013-02-07 Thread Sten Carlsen

It does not resolve from my IP, probably there is no reverse entry.


On 07/02/13 18:31, Jim Pazarena wrote:
> my named is 9.9.0
>
> while it can resolve "webmail.acrodex.com" ( 139.142.184.10 )
>
> it cannot reverse resolve 139.142.184.10
>
> (example follows).
> However, if I do a simply nslookup using goodle DNS.
> nslookup 139.142.184.10 8.8.8.8
> IT WORKS!
>
> Can anyone suggest where I may be going wrong with this?
> my "dig" response follows.
> Many thanks!
>
> Jim
>
> mail# dig -x 139.142.184.10
>
> ; <<>> DiG 9.9.0 <<>> -x 139.142.184.10
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49017
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;10.184.142.139.in-addr.arpa.   IN  PTR
>
> ;; Query time: 125 msec
> ;; SERVER: 207.34.147.93#53(207.34.147.93)
> ;; WHEN: Thu Feb  7 09:30:12 2013
> ;; MSG SIZE  rcvd: 56
>
> mail#
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

reverse resolution failing

2013-02-07 Thread Jim Pazarena


my named is 9.9.0

while it can resolve "webmail.acrodex.com" ( 139.142.184.10 )

it cannot reverse resolve 139.142.184.10

(example follows).
However, if I do a simply nslookup using goodle DNS.
nslookup 139.142.184.10 8.8.8.8
IT WORKS!

Can anyone suggest where I may be going wrong with this?
my "dig" response follows.
Many thanks!

Jim

mail# dig -x 139.142.184.10

; <<>> DiG 9.9.0 <<>> -x 139.142.184.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49017
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;10.184.142.139.in-addr.arpa.   IN  PTR

;; Query time: 125 msec
;; SERVER: 207.34.147.93#53(207.34.147.93)
;; WHEN: Thu Feb  7 09:30:12 2013
;; MSG SIZE  rcvd: 56

mail#
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse resolution failing

Re: reverse resolution failing

Re: IPv6 Only NS

Re: IPv6 Only NS

Re: reverse resolution failing

IPv6 Only NS

Re: reverse resolution failing

Re: reverse resolution failing

Re: reverse resolution failing

Re: reverse resolution failing

reverse resolution failing

11 matches

Site Navigation

Mail list logo

Footer information