Hi list, I have to admit that I am a bit baffled by this one. I can query against my bandwidth providers name servers (Comcast) and get name resolution just fine for the hostname www.malware.com.br:
dig @68.87.78.130 www.malware.com.br +short server10.hiperlinks.com.br. 66.79.164.43 dig @68.87.85.98 www.malware.com.br +short server10.hiperlinks.com.br. 66.79.164.43 dig @68.87.69.146 www.malware.com.br +short server10.hiperlinks.com.br. 66.79.164.43 Full response for www.malware.com.br: www.malware.com.br. 85091 IN CNAME server10.hiperlinks.com.br. server10.hiperlinks.com.br. 84478 IN A 66.79.164.43 I can resolve the cname from Comcast's name servers, as well: dig @68.87.69.146 server10.hiperlinks.com.br +short 66.79.164.43 However, when I attempt to resolve it from my own name servers, I get: dig www.malware.com.br ; <<>> DiG 9.5.1-P1-RedHat-9.5.1-1.P1.fc10 <<>> www.malware.com.br ;; global options: printcmd ;; connection timed out; no servers could be reached A tshark packet capture sees this: 1 3.362200 10.20.30.25 -> 192.228.79.201 DNS Standard query A www.malware.com.br 2 3.405447 192.228.79.201 -> 10.20.30.25 DNS Standard query response 3 3.406198 10.20.30.25 -> 200.160.0.10 DNS Standard query A www.malware.com.br 4 3.639178 200.160.0.10 -> 10.20.30.25 DNS Standard query response 5 3.639707 10.20.30.25 -> 207.210.65.98 DNS Standard query A www.malware.com.br 6 4.440080 10.20.30.25 -> 207.210.106.74 DNS Standard query A www.malware.com.br 7 5.240344 10.20.30.25 -> 207.210.65.98 DNS Standard query A www.malware.com.br 8 6.040619 10.20.30.25 -> 207.210.106.74 DNS Standard query A www.malware.com.br 9 6.840736 10.20.30.25 -> 207.210.65.98 DNS Standard query A www.malware.com.br 10 7.815988 10.20.30.25 -> 161.53.3.7 DNS Standard query PTR 130.6.53.161.in-addr.arpa 11 8.024571 161.53.3.7 -> 10.20.30.25 DNS Standard query response 12 8.440845 10.20.30.25 -> 207.210.106.74 DNS Standard query A www.malware.com.br 13 10.041156 10.20.30.25 -> 207.210.65.98 DNS Standard query A www.malware.com.br 14 13.241255 10.20.30.25 -> 207.210.106.74 DNS Standard query A www.malware.com.br 15 16.441690 10.20.30.25 -> 207.210.65.98 DNS Standard query A www.malware.com.br I can't seem to get the "A" record back. However, I can ping the IP address associate with www.malware.com.br (and the cname): ping 66.79.164.43 PING 66.79.164.43 (66.79.164.43) 56(84) bytes of data. 64 bytes from 66.79.164.43: icmp_seq=1 ttl=52 time=35.2 ms 64 bytes from 66.79.164.43: icmp_seq=2 ttl=52 time=35.1 ms 64 bytes from 66.79.164.43: icmp_seq=3 ttl=52 time=35.6 ms and http://66.79.164.43 to the web site works fine, as well. So I decided to add this forwarder to my named.conf: zone "malware.com.br" IN { type forward; forward only; forwarders { 68.87.69.146; 68.87.85.98; 68.87.78.130; }; }; Now tshark sees this: 1 0.000000 10.20.30.25 -> 68.87.78.130 DNS Standard query A www.malware.com.br 2 0.026561 68.87.78.130 -> 10.20.30.25 DNS Standard query response CNAME server10.hiperlinks.com.br A 66.79.164.43 3 0.028011 10.20.30.25 -> 198.41.0.4 DNS Standard query A server10.hiperlinks.com.br 4 0.063503 198.41.0.4 -> 10.20.30.25 DNS Standard query response 5 0.064289 10.20.30.25 -> 200.219.154.10 DNS Standard query A server10.hiperlinks.com.br 6 0.094948 200.219.154.10 -> 10.20.30.25 DNS Standard query response 7 0.095515 10.20.30.25 -> 207.210.65.98 DNS Standard query A server10.hiperlinks.com.br 8 0.895835 10.20.30.25 -> 207.210.106.74 DNS Standard query A server10.hiperlinks.com.br 9 1.695917 10.20.30.25 -> 207.210.65.98 DNS Standard query A server10.hiperlinks.com.br 10 2.496138 10.20.30.25 -> 207.210.106.74 DNS Standard query A server10.hiperlinks.com.br 11 3.296429 10.20.30.25 -> 207.210.65.98 DNS Standard query A server10.hiperlinks.com.br 12 4.896444 10.20.30.25 -> 207.210.106.74 DNS Standard query A server10.hiperlinks.com.br 13 6.496551 10.20.30.25 -> 207.210.65.98 DNS Standard query A server10.hiperlinks.com.br 14 9.696652 10.20.30.25 -> 207.210.106.74 DNS Standard query A server10.hiperlinks.com.br 15 12.896772 10.20.30.25 -> 207.210.65.98 DNS Standard query A server10.hiperlinks.com.br 16 19.296915 10.20.30.25 -> 207.210.106.74 DNS Standard query A server10.hiperlinks.com.br Can't get the "A" record back from the cname (same IP as the hostname, so that doesn't surprise me). So I add this forwarder to my named.conf, as well: zone "hiperlinks.com.br" IN { type forward; forward only; forwarders { 68.87.69.146; 68.87.85.98; 68.87.78.130; }; }; And now I can get full name resolution. Now tshark sees this: 1 0.000000 10.20.30.25 -> 68.87.69.146 DNS Standard query A www.malware.com.br 2 0.019721 68.87.69.146 -> 10.20.30.25 DNS Standard query response CNAME server10.hiperlinks.com.br A 66.79.164.43 3 0.021319 10.20.30.25 -> 68.87.85.98 DNS Standard query A server10.hiperlinks.com.br 4 0.060083 68.87.85.98 -> 10.20.30.25 DNS Standard query response A 66.79.164.43 Beautiful! Taking both of the forwards out and placing this one in named.conf works as well: zone "com.br" IN { type forward; forward only; forwarders { 68.87.69.146; 68.87.85.98; 68.87.78.130; }; }; But I'm still wondering why I can't seem to get name resolution for the www.malware.com.br myself? I run SpamAssassin, rsync, http, ftp, smtp, imap on this server as well, and this is the only hostname I have found that I cannot resolve myself. Why can my ISP, Comcast, resolve the host name but I can't? Any explanation would be greatly appreciated, and any suggestion on how to resolve this without using forwarders would be nice too. Thanks! Bill _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
