How not to set up your DNS (part 19)

June 26, 2009

It's been quite a while since the last installment, but today's is an interesting although simple case. Presented in the traditional illustrated format:

; sdig ns xing121.cn
dns1.dns-dns.com.cn.
dns2.dns-dns.com.cn.
; sdig a dns1.dns-dns.com.cn.
127.0.0.1
; sdig a dns2.dns-dns.com.cn.
127.0.0.1

As they say, 'I don't think so'. If you run a caching resolving nameserver that does not have 127.0.0.1 in its access ACLs, this sort of thing is a great way to have mysterious messages show up in your logs about:

client 127.0.0.1#21877: query (cache) 'www.xing121.cn/A/IN' denied

(Guess how I noticed this particular problem.)

Judging from our logs, there seem to be a number of Chinese domains that have this problem (with the same DNS servers), assuming that it is a problem and not something deliberate.

Less straightforward is this case:

; sdig ns edetsa.com.
ns1.hn.org.
tucuman.edetsa.com.
; sdig a ns1.hn.org.
127.0.0.1
; sdig a tucuman.edetsa.com.
200.45.171.226

One possible theory is that hn.org no longer wishes to be a DNS server for edetsa.com but can't get edetsa.com's cooperation, so they've just changed the A record for that name to something that makes people go away. (hn.org has real working DNS servers of its own.)

Written on 26 June 2009.
« An advantage for hardware RAID over software RAID
Possible limits on our port multiplied ESATA performance »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Jun 26 15:43:24 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.