DNS issues..


  Has anyone had any fun and exciting DNS issues pertaining to For example, try:


  If you want to see something really cool, do a WHOIS lookup on Our nameserver is getting inundated with danger messages and
I'm trying to figure out a workaround.

  Thanks in advance for your time.



  Teaches me to be funny; to prevent myself from getting flamed like
there's no tomorrow, let me qualify why I'm bringing this up.

  On our nameservers, we get the following message:

Oct 21 00:00:17 ns named[3203]: sysquery: nslookup reports danger (NS2.

  We get a huge volume of them and as a result, the load on our
nameservers have increased. So I'm trying to figure out if there is
anything I can do to get rid of the messages.


Neezam Haniff writes on 10/22/2003 1:42 AM:

Oct 21 00:00:17 ns named[3203]: sysquery: nslookup reports danger (NS2.

Did you like, try google before wasting your time posting to nanog? is the first hit I get when I search for "nslookup reports danger"

I did, and I tracked down the problem to be that our nameservers
are trying to resolve IP blocks assigned to those DNS servers. Since this
is a problem that I cannot solve myself, I'm wondering if there is
anything I can do to prevent our nameservers from resolving the ip block



  No worries, someone posted to me offlist pointing out the problem;
something that will make me candidate for "NANOG's Dumbass of the Year".
Go me. *sigh* Just can't win...



  Several people have e-mailed me asking what happened and possible
solutions to the problem. In hopes that this may someday help other people
in trying to track down the problem; I will re-iterate the problem and
possible solutions.

  Originally, I just wanted a means of overriding the data being
returned for NS1.CITYINTERNET.ORG and NS2.CITYINTERNET.ORG. Reason being
was that our nameservers were getting inundated with the following

Oct 21 00:00:17 ns named[3203]: sysquery: nslookup reports danger (NS1.

  I'll also give you the research I did in determining what was
going on.

  Based on references I found in google, it appeared that there may
have been a configuration issue on our nameserver. I went through our
nameservers to determine if we were primary or secondary for this domain,
which we are not. I also checked all the zones to see if CITYINTERNET.ORG
was referenced anywhere. This was also not the case.

  Please note, just because you see this error in your logs, does
not mean there is something wrong with your nameserver configuration. You
need to do some follow up to determine the source of the problem.

  Going through the nameserver logs, I found the following entry:

Oct 21 00:04:08 ns named[3203]: ns_resp: query(
a) Bogus ( A RR (NS1.CITYINTERNET.ORG: learnt

  From this point, I activated debugging on the named process.
Processing the queries for the period that debugging was turned on; we
found that there were customers who were trying to resolve
Hence the reason our nameserver was making queries to
NS1.CITYINTERNET.ORG. Why anyone would be querying that IP block is a
totally different exercise.

  Now, if you try to resolve NS1.CITYINTERNET.ORG, this is what you
will see:

; <<>> DiG 9.2.2 <<>>
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11247
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

; IN A



;; Query time: 77 msec
;; WHEN: Wed Oct 22 11:36:04 2003
;; MSG SIZE rcvd: 67

  The A record is invalid, so is the NS record. I decided to go one
step further and determine what IP space CITYINTERNET.ORG was assigned.
Doing a WHOIS lookup revealed that they had

  At this point, I was trying to figure out if we would have to
override the zone. I figured you guys would deal with this stuff
constantly. :slight_smile: I just wanted to know if there was a 'correct' answer.

  Someone followed up with me and pointed out there were zone
inconsistencies between and Several
other individuals followed up with suggestions as possible solutions to
this problem.

  The polite, correct solution is to contact someone at or and ask them to change or remove the

  The not-so-polite, not-very-correct solution is to override the
zone via your nameserver locally. It won't try to connect to or . when it tries to do lookups associated with that nameserver.
Be aware that doing this may cause earthquakes, floods, other natural
disasters, unnatural disasters and many other things.

  I'd like to thank the following individuals for providing useful

John Souvestre
Chris Parker

  If anyone has any further questions, comments or death threats
feel free to e-mail me.