Windows 2008 dns cannot resolve it.
BIND can.
Windows appears to believe the rfc2308 type 2 response, even though recursing the CNAME results in a different authority, ns, and A response, which I assuming is why BIND returns the answer.
I must be missing a switch somewhere. Any pointers would be appreciated.
Hi Joe,
Does Windows 2008 like anything in the "hosting" TLD?
I notice that the nameresolve.com servers returning the CNAME to
kissimmee-fl.vts.hosting are also returning an SOA record for
"hosting" in the authority section which looks very strange to me.
Perhaps Windows is rejecting it as an invalid, possibly dangerous
response packet?
Regards,
Bill Herrin
BTW, here's what I'm talking about:
dig a www.kissimmee.org +trace +all
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> a www.kissimmee.org +trace +all
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2759
;; flags: qr aa ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 3600000 IN A 198.41.0.4
a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 3600000 IN A 192.228.79.201
b.root-servers.net. 3600000 IN AAAA 2001:500:84::b
c.root-servers.net. 3600000 IN A 192.33.4.12
c.root-servers.net. 3600000 IN AAAA 2001:500:2::c
d.root-servers.net. 3600000 IN A 199.7.91.13
d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d
e.root-servers.net. 3600000 IN A 192.203.230.10
f.root-servers.net. 3600000 IN A 192.5.5.241
f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
g.root-servers.net. 3600000 IN A 192.112.36.4
h.root-servers.net. 3600000 IN A 198.97.190.53
;; Query time: 12 msec
;; SERVER: 192.168.99.1#53(192.168.99.1)
;; WHEN: Wed Aug 10 14:54:00 2016
;; MSG SIZE rcvd: 496
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53554
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 12
;; QUESTION SECTION:
;www.kissimmee.org. IN A
;; AUTHORITY SECTION:
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1
a2.org.afilias-nst.info. 172800 IN A 199.249.112.1
b0.org.afilias-nst.org. 172800 IN A 199.19.54.1
b2.org.afilias-nst.org. 172800 IN A 199.249.120.1
c0.org.afilias-nst.info. 172800 IN A 199.19.53.1
d0.org.afilias-nst.org. 172800 IN A 199.19.57.1
a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1
a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1
b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1
b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1
c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1
d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1
;; Query time: 217 msec
;; SERVER: 192.58.128.30#53(192.58.128.30)
;; WHEN: Wed Aug 10 14:54:02 2016
;; MSG SIZE rcvd: 437
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27382
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;www.kissimmee.org. IN A
;; AUTHORITY SECTION:
kissimmee.org. 86400 IN NS ns4.nameresolve.com.
kissimmee.org. 86400 IN NS ns3.nameresolve.com.
kissimmee.org. 86400 IN NS ns1.nameresolve.com.
kissimmee.org. 86400 IN NS ns2.nameresolve.com.
;; Query time: 105 msec
;; SERVER: 199.19.53.1#53(199.19.53.1)
;; WHEN: Wed Aug 10 14:54:03 2016
;; MSG SIZE rcvd: 122
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14318
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.kissimmee.org. IN A
;; ANSWER SECTION:
www.kissimmee.org. 3600 IN CNAME kissimmee-fl.vts.hosting.
;; AUTHORITY SECTION:
hosting. 3600 IN SOA ns2.nshosts.com.
info.webstrikesolutions.com.hosting. 1089178331 900 3600 604800 3600
;; Query time: 19 msec
;; SERVER: 66.96.142.146#53(66.96.142.146)
;; WHEN: Wed Aug 10 14:54:03 2016
;; MSG SIZE rcvd: 152
William Herrin wrote:
www.kissimmee.org
Windows 2008 dns cannot resolve it.
BIND can.
Hi Joe,
Does Windows 2008 like anything in the "hosting" TLD?
I notice that the nameresolve.com servers returning the CNAME to
kissimmee-fl.vts.hosting are also returning an SOA record for
"hosting" in the authority section which looks very strange to me.
Perhaps Windows is rejecting it as an invalid, possibly dangerous
response packet?Regards,
Bill Herrin
I think that provided SOA record is a "local" or "alternate" version and its existence is why the nxdomain response is being sent to the windows dns server that accepts it at face value (but does not appear to store it in cache, so this is not precisely cache poisoning)
Here is another example, unrelated to the new TLD's
www.lomita.com
Joe
Oh! I missed that. ns*.nameresolve.com, the authoratative name servers
for kissimmee.org, are saying NXDOMAIN for www.kissimmee.org. Any idea
what DNS server nameresolve.com uses? Because that's... wow.
-Bill
William Herrin wrote:
>> www.kissimmee.org
>>
>> Windows 2008 dns cannot resolve it.
>>
>> BIND can.
>
> Hi Joe,
>
> Does Windows 2008 like anything in the "hosting" TLD?
>
> I notice that the nameresolve.com servers returning the CNAME to
> kissimmee-fl.vts.hosting are also returning an SOA record for
> "hosting" in the authority section which looks very strange to me.
> Perhaps Windows is rejecting it as an invalid, possibly dangerous
> response packet?
>
> Regards,
> Bill Herrin
>
>I think that provided SOA record is a "local" or "alternate" version and
its existence is why the nxdomain response is being sent to the windows
dns server that accepts it at face value (but does not appear to store
it in cache, so this is not precisely cache poisoning)
Nameresovle.com's servers are returning answers that can be seen
as a cache poisioning attempt. They are NOT authorative for
".hosting" but have been configured as if they are. This is a big
NO NO. You don't configure youself as authoritative for a zone
that has not been delegated to you and in particular you don't
configure yourself as authoritative for "." or a TLD.
Windows 2008 is quite correct in rejecting this answer. Named would
as well except for the number of DNS hosters that do this sort of
garbage. Named just sees the CNAME and stops processing the message
after that.
Mark
Mark Andrews wrote:
Nameresovle.com's servers are returning answers that can be seen
as a cache poisioning attempt. They are NOT authorative for
".hosting" but have been configured as if they are. This is a big
NO NO. You don't configure youself as authoritative for a zone
that has not been delegated to you and in particular you don't
configure yourself as authoritative for "." or a TLD.Windows 2008 is quite correct in rejecting this answer. Named would
as well except for the number of DNS hosters that do this sort of
garbage. Named just sees the CNAME and stops processing the message
after that.Mark
Thanks for the replies Mark and Bill.
I think its fair to say that most DNS servers have at one time or another hosted a zone they were not authoritative for according to the DNS tree, as simple as a customer leaving without notice, cruft, split view incorrectly configured, etc.
In any event, windows is accepting the negative answer, BIND is rejecting it and going forward with resolving the CNAME, sucessfully.
Joe
Mark Andrews wrote:
>
> Nameresovle.com's servers are returning answers that can be seen
> as a cache poisioning attempt. They are NOT authorative for
> ".hosting" but have been configured as if they are. This is a big
> NO NO. You don't configure youself as authoritative for a zone
> that has not been delegated to you and in particular you don't
> configure yourself as authoritative for "." or a TLD.
>
> Windows 2008 is quite correct in rejecting this answer. Named would
> as well except for the number of DNS hosters that do this sort of
> garbage. Named just sees the CNAME and stops processing the message
> after that.
>
> Mark
>Thanks for the replies Mark and Bill.
I think its fair to say that most DNS servers have at one time or
another hosted a zone they were not authoritative for according to the
DNS tree, as simple as a customer leaving without notice, cruft, split
view incorrectly configured, etc.
Having the odd leaf zone left over doesn't usually cause operational
problems. You have to be very unlucky to be delegated a zone that
has a CNAME that points into the left over leaf zone.
In this case there is a fake TLD zone. This isn't a left over zone.
This is a DNS hoster not understanding the DNS and the implications
of their operational decisions.
People forget nameservers return negative existance answers and
that they need to be as valid as the positive existance answers.
RFC 2308 isn't relevant to this domain. The responses aren't NXDOMAIN, so
section 2.1 doesn't apply, and the response includes answers, so section
2.2 doens't apply.
Tony.
Er, me too, headdesk. NXDOMAIN with an answer?!
$ fpdns ns2.yourhostingaccount.com.
fingerprint (ns2.yourhostingaccount.com., 65.254.254.155): Unlogic Eagle DNS 1.0 -- 1.0.1 [New Rules]
Tony.
Tony Finch wrote:
www.kissimmee.org
Windows appears to believe the rfc2308 type 2 response,
RFC 2308 isn't relevant to this domain. The responses aren't NXDOMAIN, so
section 2.1 doesn't apply, and the response includes answers, so section
2.2 doens't apply.Tony.
We must be reading different things.
NXDOMAIN RESPONSE: TYPE 2.
Header:
RDCODE=NXDOMAIN
Query:
AN.EXAMPLE. A
Andrews Standards Track [Page 3]
RFC 2308 DNS NCACHE March 1998
Answer:
AN.EXAMPLE. CNAME TRIPPLE.XX.
Authority:
XX. SOA NS1.XX. HOSTMASTER.NS1.XX. ....
Additional:
<empty>
c:\Documents and Settings\joe.JOE.000>c:\programs\bind\bin\dig.exe www.kissimmee
.org @ns1.nameresolve.com
; <<>> DiG 9.10a2 <<>> www.kissimmee.org @ns1.nameresolve.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36437
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;www.kissimmee.org. IN A
;; ANSWER SECTION:
www.kissimmee.org. 3600 IN CNAME kissimmee-fl.vts.hosting.
;; AUTHORITY SECTION:
hosting. 3600 IN SOA ns2.nshosts.com. info.webstrikes
olutions.com.hosting. 1089178331 900 3600 604800 3600
;; Query time: 62 msec
;; SERVER: 66.96.142.146#53(66.96.142.146)
;; WHEN: Thu Aug 11 08:36:59 Eastern Daylight Time 2016
;; MSG SIZE rcvd: 163