How not to set up your DNS (part 8)

January 15, 2006

This is one of those amusingly creative mistakes to see in action:

  • lists as nameservers and
  • both respond with errors if they are sent queries that allow recursion.
  • sent queries marked non-recursive, both answer all DNS queries for the domain with no actual data, but with an 'additional authority' section that says they're the nameservers for the domain.

Nameservers normally answer a query for a domain they don't serve with a referral to a higher zone, such 'com.' or '.', the root zone. That the nameservers are answering queries with referrals to themselves means that in some sense they believe they handle the domain; it's just that they don't actually have any data for it.

Returning explicit errors for recursive queries is also unusual nameserver behavior; normally, a nameserver that disallows recursion on queries effectively strips the 'recursion allowed' bit off before it processes things, so you get referrals to higher level zones.

(Mind you, judging from their WHOIS information we may not be missing much by not being able to accept email from ''.)

Written on 15 January 2006.
« Weekly spam summary on January 14th, 2006
The danger of specific errno values »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jan 15 11:43:43 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.