[dns-operations] Handling broken domains...

Peter Dambier peter at peter-dambier.de
Mon Jul 17 17:36:47 UTC 2006 

I did it manually.

I learned the hard way, to slave whatever domain I can. There were
TLDs that somewhere CNAMEd and neither bind nor djbdns could resolve.
Interestingly enough, slaving the domain I could resolve its hosts.

Later said domain lost its nameservers. The SLDs still exist. I
turned my slave into a master and can still resolve them.

By the way - when you build your own database ( /etc/hosts :) and
can live from your own data mostly, then you no longer will be
found to be an open resolver  :)

Well, I dont know if I should tweak my DNS so very much if I had
public customers. But on the other hand it is a service you can
offer that the standard resolvers cannot.

I am looking for lame servers from time to time and if they tend
to anger me then I do write my own zone file. Again, I dont know
if I should do that with open costumers. On the other hand you
are giving a special treat to phishermen and friends. I guess we
might "patch" one and the same people.

I am running Bind 9.4.0.a6 and a patched dnscache + tinydns/axfrdns
side by side. tinydns is running as rootserver and again I do slave
all important zones. Interestingly enough I sometimes see djbdns resolve
things bind cannot, because tinydns still has them in the database.

I would like to know how your resolver is working. I am always
curious :)

I am running mine as journalist and archaeologist. I have to find
things that are either censored or forgotten - sometimes both of
them.

Cheers
Peter and Karin


David Ulevitch wrote:
> We periodically see really improperly configured domains that users  
> expect (rightly so) to resolve.
> 
> Case in point: wholesalehunter.com
> 
> 1) GTLD roots point to NS servers with authority.
> 2) Querying NS servers provides the answer section AND a new  
> authority section with a long-living NS set that does not exist.
> 3) We replace the GTLD authority section with the more specific from  
> the authoritative nameservers
> 4) TTL for the A record dies out and then the long-lived NS record to  
> a nameserver which doesn't exist stays alive meaning we can't find an  
> A record for it until we try the GTLD roots again.
> 
> How is this handled elsewhere in other resolver implementations?
> 
> I'm trying to decide how to best fix it.
> 
> -david
> 
> 
> 
> root:~# dig @g.gtld-servers.net wholesalehunter.com
> 
> ; <<>> DiG 9.2.4 <<>> @g.gtld-servers.net wholesalehunter.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1592
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
> 
> ;; QUESTION SECTION:
> ;wholesalehunter.com.           IN      A
> 
> ;; AUTHORITY SECTION:
> wholesalehunter.com.    172800  IN      NS      ns.chanuteks.com.
> wholesalehunter.com.    172800  IN      NS      ns.nautilus.net.
> 
> ;; ADDITIONAL SECTION:
> ns.chanuteks.com.       172800  IN      A       66.140.160.1
> ns.nautilus.net.        172800  IN      A       69.150.96.3
> 
> ;; Query time: 32 msec
> ;; SERVER: 192.42.93.30#53(g.gtld-servers.net)
> ;; WHEN: Mon Jul 17 16:06:11 2006
> ;; MSG SIZE  rcvd: 125
> 
> root:~# dig @ns.chanuteks.com. wholesalehunter.com
> 
> ; <<>> DiG 9.2.4 <<>> @ns.chanuteks.com. wholesalehunter.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57880
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;wholesalehunter.com.           IN      A
> 
> ;; ANSWER SECTION:
> wholesalehunter.com.    604800  IN      A       12.147.60.129
> 
> ;; AUTHORITY SECTION:
> wholesalehunter.com.    604800  IN      NS      ns.wholesalehunter.com.
> 
> ;; Query time: 55 msec
> ;; SERVER: 66.140.160.1#53(ns.chanuteks.com.)
> ;; WHEN: Mon Jul 17 16:06:27 2006
> ;; MSG SIZE  rcvd: 70
> 
> root:~# dig @ns.wholesalehunter.com. wholesalehunter.com
> 
> ; <<>> DiG 9.2.4 <<>> @ns.wholesalehunter.com. wholesalehunter.com
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations


-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/

More information about the dns-operations mailing list