How not to set up your DNS (part 7)

January 12, 2006

Presented in point form, because the illustrated form is too verbose:

  • The subdomain bos.netsolhost.com has nameservers NS1.bos.netsolhost.com and NS2.bos.netsolhost.com.
  • according to the nameservers for netsolhost.com, these have IP addresses 205.178.146.11 and 205.178.146.12 respectively.
  • according to 205.178.146.11, these actually have IP addresses 10.49.34.11 and 10.49.34.12 respectively.
  • 205.178.146.12 doesn't respond.

The 10.*.*.* IP addresses are RFC 1918 private addresses, so no one outside netsolhost.com can get to them. The net effect that the first query for something in bos.netsolhost.com will return useful information but everything after that fails, because when 205.178.146.11 answers your first query it also feeds you the bad nameserver IP addresses and 'poisons' your nameserver cache.

I've seen all the elements of this one separately, but this is the first time I've seen glue record hell and leaking internal domains with internal-only IP addresses combined so creatively.

We noticed this because 205.178.145.65 (allegedly 'vux16.bos.netsolhost.com') kept trying to send us email with the MAIL FROM of '627834.640381@vux16.bos.netsolhost.com'. In the process of verifying incoming mail, we want to do A and MX queries; as the first query, the A query worked, but the MX query got timeouts. When I noticed the repeated '454 temporarily unresolvable address' replies for something that was at least partially resolvable (because we accepted it as a HELO name) I started digging.

Written on 12 January 2006.
« On not logging things
An unconventional reason for large RAID stripe sizes »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Jan 12 11:04:00 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.