Wandering Thoughts archives

2011-09-06

How not to set up your DNS (part 21)

This one is creative, and best presented in point form.

  • the nameservers for co. are ns1.cctld.co through ns6.cctld.co.
  • if you query them for the NS records of hotmail.co, all of them point you to NS1.MSFT.NET., NS2.MSFT.NET., and NS5.MSFT.NET.

    (They do this slightly oddly, with the aa bit unset, but nameservers for other important zones also do this so I assume that it's the modern style.)

  • if you ask any of these MSFT.NET nameservers for the A record for www.hotmail.co or hotmail.co, you get answers (with the aa bit set, as you'd expect from an authoritative nameserver).

  • if you ask any of these MSFT.NET nameservers for MX, NS, or SOA records for hotmail.co, you get an interesting reply:

flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; AUTHORITY SECTION:
. 3600 IN SOA ns1.msft.net. msnhst.microsoft.com. 2009082101 900 600 86400 3600

;; ADDITIONAL SECTION:
ns1.msft.net. 3600 IN A 65.55.37.62

(For bonus weirdness, whether or not you get the A record for ns1.msf.net depends on what query you're making; MX and NS queries do not, but SOA queries do.)

We've seen grandiose claims of authority before, and it doesn't work any better this time than it did before. Specifically, if you do MX lookups on hotmail.co, your DNS server will almost certainly give you a 'cannot resolve this right now' temporary failure result. This is kind of important because hotmail.co is one omitted letter away from hotmail.com and thus runs into my small wish for parked domains.

I guess I'm going to have to add another entry to our list of typo'd email domains that should have their email bounce explicitly.

(That hotmail.co has a working A record doesn't help; if an MX record lookup returns a temporary failure, a mailer must retry the MX lookup instead of falling back to the A record. It can only fall back to the A record if there is a definite 'no MX record' answer. Not that falling back to the A records would help in this case, as hotmail.co's IP addresses currently block SMTP connection attempts.)

(It's been a while since the last installment.)

sysadmin/HowNotToDoDNSXXI written at 17:06:45; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.