How not to set up your DNS (part 19)
It's been quite a while since the last installment, but today's is an interesting although simple case. Presented in the traditional illustrated format:
; sdig ns xing121.cn dns1.dns-dns.com.cn. dns2.dns-dns.com.cn. ; sdig a dns1.dns-dns.com.cn. 127.0.0.1 ; sdig a dns2.dns-dns.com.cn. 127.0.0.1
As they say, 'I don't think so'. If you run a caching resolving nameserver that does not have 127.0.0.1 in its access ACLs, this sort of thing is a great way to have mysterious messages show up in your logs about:
client 127.0.0.1#21877: query (cache) 'www.xing121.cn/A/IN' denied
(Guess how I noticed this particular problem.)
Judging from our logs, there seem to be a number of Chinese domains that have this problem (with the same DNS servers), assuming that it is a problem and not something deliberate.
Less straightforward is this case:
; sdig ns edetsa.com. ns1.hn.org. tucuman.edetsa.com. ; sdig a ns1.hn.org. 127.0.0.1 ; sdig a tucuman.edetsa.com. 200.45.171.226
One possible theory is that hn.org no longer wishes to be a DNS server for edetsa.com but can't get edetsa.com's cooperation, so they've just changed the A record for that name to something that makes people go away. (hn.org has real working DNS servers of its own.)
|
|