Is my BIND Server's Cache Poisioned ?

Mark_Andrews1 · June 30, 2005, 5:33am

i

> No. These are just a mis-configured zones.
>
> hangzhou.gov.cn only has glue records for the nameservers.
> zpepc.com.cn has CNAMEs for the nameservers.
>
> Both of these misconfigurations are visible to nameservers
> that are IPv6 aware. Nameservers that are not IPv6 aware
> are not likely to make the queries that make these
> misconfigurations visible.

Why would these dns misconfigurations be visible only to IPV6-aware servers?

  Because IPv6 aware nameservers make AAAA queries for the
  IPv6 addresses of the nameservers and as a result see the
  NXDOMAIN / CNAME. The IPv4 only nameservers don't make
  these queries, as a matter of practice, and only see the
  problems if some client of the nameserver makes a query
  for some records with the same name as that of the nameservers.

Mark

Joe_Shen · June 30, 2005, 8:14am

Hi,

thanks for the help.

  Because IPv6 aware nameservers make AAAA queries
for the
  IPv6 addresses of the nameservers and as a result
see the
  NXDOMAIN / CNAME. The IPv4 only nameservers don't
make
  these queries, as a matter of practice, and only
see the
  problems if some client of the nameserver makes a
query
  for some records with the same name as that of the
nameservers.

I've run BIND9 cache server with -4 option. Is there
any way to make BIND9 fault tolerant?

Joe

Suresh_Ramasubramani · June 30, 2005, 9:45am

It is pretty tolerant of its own faults. But in this case it is simply
following the dns spec. You could say it is not tolerant of other
people's faults, but neither should you be, in cases like this!