[H-GEN] problems with accessing mail at bigpond

Greg Black gjb at gbch.net
Mon May 6 02:10:19 EDT 2002


[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

Robert Brockway wrote:

| On Mon, 6 May 2002, Greg Black wrote:
| 
| > | If I've delegated a domain recently, I might like to check how propogation
| > | is going on remote servers. Granted within 48 hours it should have all
| > | happened :)
| > 
| > Honestly, I don't see this as a legitimate case.  Although
| 
| It's still nice to see all is well :)

OK, I see what you're after.  But I still think this is the
wrong way to attack it.

If we want to see what the world will discover when looking up
something we've just added to our DNS, we can manually take the
various steps through to the point where our server provides its
answer.  Here's a worked example, using my preferred utility and
with extraneous data stripped.  Let's say I want to check what
people will get if they lookup the A record for www.gbch.net:

 1. Ask one of the root name servers:

    $ dnsq a www.gbch.net f.root-servers.net
    authority: net 172800 NS f.gtld-servers.net
    additional: f.gtld-servers.net 172800 A 192.35.51.30

    Obviously, we also got the other twelve gtld servers in
    similar lines.  The important thing is that we get a
    referral to the 13 gtld servers as being authoritative for
    the .net domain.

 2. Ask one of the gtld servers:

    $ dnsq a www.gbch.net f.gtld-servers.net
    authority: gbch.net 172800 NS a.ns.comkey.com.au
    authority: gbch.net 172800 NS a.ns.gbch.net
    additional: a.ns.gbch.net 172800 A 203.143.238.93

    Now we have a referral to the two gbch.net name servers and
    an address for the one that is in-bailiwick for the gtld
    name servers.

    At this point, we have verified that any resolver in the
    world will be coming to one of our name servers for the
    answer to this question.  So all we have to do is ask those
    two servers for the answer.  That's just too trivial, so
    I'll leave it as an exercise for the reader ...

| Unfortunately in at least one major case I am not in a position to fix it,
| but am stuck trying to deal with broken dns from the sidelines :(

I think I could make useful suggestions here, but would need to
know more.  Perhaps we should take this up at the meeting next
Saturday ...

| > My reasons are a desire to avoid waste of my bandwidth (as
| > previously mentioned), a desire to reduce my exposure to
| > possible exploits in name servers, and a desire to avoid being
| > sued if my name servers are implicated in a DoS attack of the
| > type mentioned in the reference Mark posted where name servers
| > can be used to amplify an attack.
| 
| I haven't read this yet but will be looking at the article with great
| interest.

I would rate it as required reading for any admin who deals with
DNS.  Just as the rest of the CERT and AusCERT archives of DNS
exploits should be required reading.

| It's been an interesting discussion.  I'll be reading the article Mark
| posted but you guys might just have convinced me :)

Only too glad to have been of help :-)

Greg

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/



More information about the General mailing list