[dns-operations] sophosxl.net problem?
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Nov 11 19:11:31 UTC 2019
On Mon, Nov 11, 2019 at 11:37:26AM -0500, Joe Abley wrote:
> https://www.dns-oarc.net/oarc/services/odvr
>
> jabley at anchovy ~ % dig @184.105.193.73 version.bind ch txt +short
> "9.12.1"
>
> jabley at anchovy ~ % dig @184.105.193.73 hopcount.ca mx +short +rec
> 1 aspmx.l.google.com.
> 5 alt1.aspmx.l.google.com.
> 5 alt2.aspmx.l.google.com.
> 10 alt3.aspmx.l.google.com.
> 10 alt4.aspmx.l.google.com.
> jabley at anchovy ~ % dig @184.105.193.73 hopcount.ca mx +short +norec
> 1 aspmx.l.google.com.
> 5 alt1.aspmx.l.google.com.
> 5 alt2.aspmx.l.google.com.
> 10 alt3.aspmx.l.google.com.
> 10 alt4.aspmx.l.google.com.
> jabley at anchovy ~ %
I can confirm the "leak", a second non-recursive query returns
cached data after an intermediate recursive query
1. RD=0, response is a referral
$ hsdig -R -t mx -n 184.105.193.73 духовный.org
org. IN NS a0.org.afilias-nst.info.
org. IN NS a2.org.afilias-nst.info.
org. IN NS b0.org.afilias-nst.org.
org. IN NS b2.org.afilias-nst.org.
org. IN NS c0.org.afilias-nst.info.
org. IN NS d0.org.afilias-nst.org.
2. RD=1
$ hsdig -t mx -n 184.105.193.73 духовный.org
xn--b1adqpd3ao5c.org. IN MX 0 smtp.dukhovni.org. ; NoError AD=1
3. RD=0 again, but now a cached answer and zone-apex NS RRs
$ hsdig -R -t mx -n 184.105.193.73 духовный.org
xn--b1adqpd3ao5c.org. IN MX 0 smtp.dukhovni.org. ; NoError AD=1
xn--b1adqpd3ao5c.org. IN NS nsa.dukhovni.org. ; AD=1
xn--b1adqpd3ao5c.org. IN NS nsb.imrryr.org. ; AD=1
[ In case you're wondering, hsdig[1] is a tool I wrote for my own
use, it is a light-weight CLI for the Haskell DNS library. ]
--
Viktor.
[1] Unlike "dig", "hsdig" can perform queries for multiple domains
concurrently, so its primary use-case is bulk queries. But, I also
find the "-z" option convenient for querying glue. Its SOA mrname
is more friendly, with "@" instead of a dot after the first label,
in which any literal dots are then not escaped:
$ hsdig -t soa army.mil
army.mil. IN SOA ns01.army.mil. usarmy.huachuca.netcom.mesg.epdns-global at mail.mil. ...
$ hsdig --help
hsdig - parallel DNS client
Usage: hsdig [-t|--type RRTYPE] [-z|--zone ZONE]
[-N | (-n|--nameserver ADDRESS)] [-p|--prefix PREFIX]
[-T|--timeout T] [-r|--tries N] [-m|--threads N] [-C|--cd]
[-R|--rd] [-u|--udpsize BYTES] [-D|--dnssec] [DOMAIN...]
Available options:
-h,--help Show this help text
-t,--type RRTYPE The query RRTYPE, as a supported name or a
number (default: A)
-z,--zone ZONE Query authoritative nameservers of ZONE
-N Use nameservers listed in /etc/resolv.conf
-n,--nameserver ADDRESS Use nameserver at ADDRESS (default: "127.0.0.1")
-p,--prefix PREFIX Optionally prepend 'PREFIX.' to each domain
-T,--timeout T Set DNS request timeout to T ms (default: 3000ms)
-r,--tries N Make at most N DNS requests per lookup (default: 6)
-m,--threads N Set thread count to N (default: 50)
-C,--cd Request unvalidated data
-R,--rd Issue a non-recursive query
-u,--udpsize BYTES Set EDNS UDP buffer size to BYTES (default: 8192)
-D,--dnssec Request DNSSEC records
DOMAIN... DOMAINs to scan, read from stdin by default
The default EDNS buffer size is 8192 bytes because the default
resolver is 127.0.0.1. With "-z", the buffer size defaults to
1232 bytes.
More information about the dns-operations
mailing list