After upgrading from bind 9.11 to 9.12, Windows (but not Linux) clients on the network started barfing "server not found" error messages for some sites. after a thorough investigation, the problem seems to be that bind 9.12 doesn't send additional data in DNS replies for out of zone cnames and Windows just doesn't do the recursion.
reply from 9.12:
; <<>> DiG 9.12.0 <<>> imap.asterix.cz #europa.podgorny.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23207
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d5fa7daebf3a1ffe1805060a5a9d352ffebb15250033a69e (good)
;; QUESTION SECTION:
;imap.asterix.cz. IN A
;; ANSWER SECTION:
imap.asterix.cz. 2463 IN CNAME admiral.podgorny.cz.
;; Query time: 2 msec
;; SERVER: 2002:2e24:2741:9900::1#53(2002:2e24:2741:9900::1)
;; WHEN: Mon Mar 05 13:16:47 CET 2018
;; MSG SIZE rcvd: 105
reply from 9.11:
; <<>> DiG 9.12.0 <<>> imap.asterix.cz #taurus.asterix.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50822
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 618a6ee9520f91081b7089bf5a9d356ab7eca595939a467c (good)
;; QUESTION SECTION:
;imap.asterix.cz. IN A
;; ANSWER SECTION:
imap.asterix.cz. 3600 IN CNAME admiral.podgorny.cz.
admiral.podgorny.cz. 3235 IN A 46.36.39.65
;; AUTHORITY SECTION:
podgorny.cz. 1256 IN NS ns3.podgorny.cz.
podgorny.cz. 1256 IN NS ns2.podgorny.cz.
podgorny.cz. 1256 IN NS ns1.podgorny.cz.
;; Query time: 52 msec
;; SERVER: 2002:2e24:2741:8800::1#53(2002:2e24:2741:8800::1)
;; WHEN: Mon Mar 05 13:17:46 CET 2018
;; MSG SIZE rcvd: 173
so, it seems like there's more questions to ask:
How do I make bind 9.12 return full replies? (it seems they removed the additional-from-cache and additional-from-auth configuration settings)
How do I make Windows resolver do the recursion?
What is the "correct" way of solving this? is it Windows' fault? or is bind's default setting bad? is there a rfc for this?
This is a bug in 9.12.0 that was fixed now 9.12.1.
https://kb.isc.org/article/AA-01598/0/BIND-9.12.1-Release-Notes.html
Related
I am running a bunch of services inside a AWS EKS cluster. Using below service as an example.
$ k get svc redis -n production
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
redis ClusterIP 10.100.215.197 <none> 6379/TCP 2y73d
When I use dig to find out the reverse dns record, it shows below:
root#server-684c765d78-6z4wv:/app# dig -x 10.100.215.197
; <<>> DiG 9.16.37-Debian <<>> -x 10.100.215.197
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15985
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 784136d1092b3acc (echoed)
;; QUESTION SECTION:
;197.215.100.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
197.215.100.10.in-addr.arpa. 5 IN PTR redis.production.svc.cluster.local.
;; Query time: 0 msec
;; SERVER: 10.100.0.10#53(10.100.0.10)
;; WHEN: Sun Feb 05 05:04:40 UTC 2023
;; MSG SIZE rcvd: 143
However, if I add a record type parameter any, it shows
root#server-684c765d78-6z4wv:/app# dig -x 10.100.215.197 any
; <<>> DiG 9.16.37-Debian <<>> -x 10.100.215.197 any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10130
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;197.215.100.10.in-addr.arpa. IN ANY
;; ANSWER SECTION:
197.215.100.10.in-addr.arpa. 30 IN PTR ip-10-100-215-197.us-east-2.compute.internal.
;; Query time: 4 msec
;; SERVER: 10.100.0.10#53(10.100.0.10)
;; WHEN: Sun Feb 05 05:04:42 UTC 2023
;; MSG SIZE rcvd: 141
My question is why it shows two different results redis.production.svc.cluster.local. and ip-10-100-215-197.us-east-2.compute.internal.? and what are their relation?
I was able to start an unbound server and now can succecifuly use the dig command but can't use any other command due to name resolution failing.
$ dig one.one.one.one
; <<>> DiG 9.16.1-Ubuntu <<>> one.one.one.one
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37768
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;one.one.one.one. IN A
;; ANSWER SECTION:
one.one.one.one. 286 IN A 1.1.1.1
one.one.one.one. 286 IN A 1.0.0.1
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon May 23 15:37:34 JST 2022
;; MSG SIZE rcvd: 76
$ ping one.one.one.one
ping: one.one.one.one: Temporary failure in name resolution
needed to add loopback address to /etc/resolv.conf
I'm trying to parse a DIG request and I'm not quite sure what all the sections mean. My guess is that 151.101.53.164 is the authoritative name server's IP.
User-Desktop:Desktop user$ dig www.nytimes.com
; <<>> DiG 9.8.3-P1 <<>> www.nytimes.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1148
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;www.nytimes.com. IN A
;; ANSWER SECTION:
www.nytimes.com. 63 IN CNAME nytimes.map.fastly.net.
nytimes.map.fastly.net. 24 IN A 151.101.53.164
;; AUTHORITY SECTION:
fastly.net. 2204 IN NS ns3.fastly.net.
fastly.net. 2204 IN NS ns1.fastly.net.
fastly.net. 2204 IN NS ns2.fastly.net.
fastly.net. 2204 IN NS ns4.fastly.net.
;; ADDITIONAL SECTION:
ns1.fastly.net. 2344 IN A 23.235.32.32
ns2.fastly.net. 2344 IN A 104.156.80.32
ns3.fastly.net. 171545 IN A 23.235.36.32
ns4.fastly.net. 2345 IN A 104.156.84.32
;; Query time: 48 msec
;; SERVER: 131.252.120.128#53(131.252.120.128)
;; WHEN: Tue May 9 12:41:15 2017
;; MSG SIZE rcvd: 221
Youtube and Netflix operate on Content Distributed Networks probably. I realized that Youtube operates on Google and Netflix on Amazon Web services. So, I can't exactly get the IPs on which they operate. Youtube is under AS Number 15169 i.e belongs to google and Netflix responds using several ASNs belonging to AWS like 15609 and 14168.
So, IP ASN lookups like
'curl https://api.hackertarget.com/aslookup/?q=AS15169'
will provide wrong answers I think as they list all IPs of google also.
dig youtube.com
provides
; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> youtube.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36383
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;youtube.com. IN A
;; ANSWER SECTION:
youtube.com. 300 IN A 172.217.161.142
;; Query time: 599 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue May 19 04:21:33 IST 2020
;; MSG SIZE rcvd: 56
which is same as the one obtained by pinging youtube but the address changes if we change our location using VPNs
dig netflix.com
provides
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13053
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;netflix.com. IN A
;; ANSWER SECTION:
netflix.com. 60 IN A 54.71.93.100
netflix.com. 60 IN A 54.149.160.164
netflix.com. 60 IN A 35.166.180.66
netflix.com. 60 IN A 35.165.194.49
netflix.com. 60 IN A 52.41.168.84
netflix.com. 60 IN A 34.208.21.204
netflix.com. 60 IN A 54.68.234.134
netflix.com. 60 IN A 52.34.38.200
;; Query time: 581 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue May 19 04:21:14 IST 2020
;; MSG SIZE rcvd: 168
It also changes with VPNs.
It will be great if I can obtain confirmed IPs used by Youtube and Netflix.
I have two mirrored forward DNS server(for simplifying, named f1, f2) which forward some domain request to my authoritative DNS server(also named a1, a2), I added some new domain to my authoritative DNS server, but when I nslookup the new domain from f1 or f2, I got Non-existent domain error like the following. If I nslookup from a1 or a2, it worked.
C:\Users\Liu.D.H>nslookup www.yqsbfiles.ynu.edu.cn
Server: ynu-public-dns-a.ynu.edu.cn
Address: 113.55.13.51
*** ynu-public-dns-a.ynu.edu.cn can't find www.yqsbfiles.ynu.edu.cn: Non-existent domain
C:\Users\Liu.D.H>
I also used dig to get more debug info.
C:\Users\Liu.D.H>dig www.yqsbfiles.ynu.edu.cn #113.55.13.52
; <<>> DiG 9.10.6 <<>> www.yqsbfiles.ynu.edu.cn #113.55.13.52
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28130
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yqsbfiles.ynu.edu.cn. IN A
;; AUTHORITY SECTION:
ynu.edu.cn. 9936 IN SOA pridns.ynu.edu.cn. root.pridns.ynu.edu.cn. 2016062301 10800 3600 604800 86400
;; Query time: 0 msec
;; SERVER: 113.55.13.52#53(113.55.13.52)
;; WHEN: Fri Jun 08 10:44:35 China Standard Time 2018
;; MSG SIZE rcvd: 101
C:\Users\Liu.D.H>
But the strange thing was that if I did rndc flush on one of f1 or f2, then I can request successfully.
C:\Users\Liu.D.H>dig www.yqsbfiles.ynu.edu.cn #113.55.13.51
; <<>> DiG 9.10.6 <<>> www.yqsbfiles.ynu.edu.cn #113.55.13.51
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4168
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yqsbfiles.ynu.edu.cn. IN A
;; ANSWER SECTION:
www.yqsbfiles.ynu.edu.cn. 86400 IN CNAME lb-http.ynu.edu.cn.
lb-http.ynu.edu.cn. 86393 IN A 202.203.208.41
;; AUTHORITY SECTION:
ynu.edu.cn. 86391 IN NS secdns.ynu.edu.cn.
ynu.edu.cn. 86391 IN NS pridns.ynu.edu.cn.
;; ADDITIONAL SECTION:
pridns.ynu.edu.cn. 86396 IN A 202.203.208.33
pridns.ynu.edu.cn. 86396 IN AAAA 2001:250:2800:2::33
secdns.ynu.edu.cn. 86391 IN A 202.203.208.34
secdns.ynu.edu.cn. 86391 IN AAAA 2001:250:2800:2::34
;; Query time: 2 msec
;; SERVER: 113.55.13.51#53(113.55.13.51)
;; WHEN: Fri Jun 08 10:43:02 China Standard Time 2018
;; MSG SIZE rcvd: 221
C:\Users\Liu.D.H>
I noticed that this two dig output had something different in AUTHORITY SECTION.
Any help would be appreciated. Thanks in advance.
You need to register the Authoritative Domain name server with the domain registrar for your new domain pointing to a1 and a2. After that it will work fine.