Strange CNAME chasing...
245 views
Skip to first unread message
Nicholas Weaver
Dec 16, 2009, 4:42:09 PM12/16/09
to public-dns-discuss
One of Netalyzr's DNS policy tests is CNAME behavior... A bit of
background on the setup...
Roland.icir.org is authority for .netalyzr.icsi.berkeley.edu
and .netalyzr.icir.org.
return_false.{anything}. returns 192.150.186.14 in all cases.
cname_external.{nonce}.{node}.netalyzr.icsi.berkeley.edu returns:
;; QUESTION SECTION:
;cname_external.atb.n1.netalyzr.icsi.berkeley.edu. IN A
;; ANSWER SECTION:
cname_external.atb.n1.netalyzr.icsi.berkeley.edu. 10 IN CNAME
return_false.atb.netalyzr.icir.org.
return_false.atb.netalyzr.icir.org. 10 IN A 67.202.37.63
;; AUTHORITY SECTION:
atb.n1.netalyzr.icsi.berkeley.edu. 100 IN NS roland.icir.org.
;; ADDITIONAL SECTION:
roland.icir.org. 100 IN A 192.150.187.31
Thus poisoning return_false. Thus we can tell whether the resolver
accepted the cname or not, and also whether it cached it or not....
The strange thing is, the Google DNS server will sometimes accept the
CNAME chain and return it, and sometimes not... EG:
[gala:~] nweaver% dig +short
cname_external.aaa.n1.netalyzr.icsi.berkeley.edu @8.8.4.4
return_false.AAa.netalyzr.icir.org.
192.150.186.14
[gala:~] nweaver% dig +short
cname_external.aab.n1.netalyzr.icsi.berkeley.edu @8.8.4.4
return_false.Aab.netalyzr.icir.org.
67.202.37.63
[gala:~] nweaver%
Is the server somehow remembering that roland.icir.org is also the
authority for .netalyzr.icir.org and using that in its logic to accept
the CNAME?
background on the setup...
Roland.icir.org is authority for .netalyzr.icsi.berkeley.edu
and .netalyzr.icir.org.
return_false.{anything}. returns 192.150.186.14 in all cases.
cname_external.{nonce}.{node}.netalyzr.icsi.berkeley.edu returns:
;; QUESTION SECTION:
;cname_external.atb.n1.netalyzr.icsi.berkeley.edu. IN A
;; ANSWER SECTION:
cname_external.atb.n1.netalyzr.icsi.berkeley.edu. 10 IN CNAME
return_false.atb.netalyzr.icir.org.
return_false.atb.netalyzr.icir.org. 10 IN A 67.202.37.63
;; AUTHORITY SECTION:
atb.n1.netalyzr.icsi.berkeley.edu. 100 IN NS roland.icir.org.
;; ADDITIONAL SECTION:
roland.icir.org. 100 IN A 192.150.187.31
Thus poisoning return_false. Thus we can tell whether the resolver
accepted the cname or not, and also whether it cached it or not....
The strange thing is, the Google DNS server will sometimes accept the
CNAME chain and return it, and sometimes not... EG:
[gala:~] nweaver% dig +short
cname_external.aaa.n1.netalyzr.icsi.berkeley.edu @8.8.4.4
return_false.AAa.netalyzr.icir.org.
192.150.186.14
[gala:~] nweaver% dig +short
cname_external.aab.n1.netalyzr.icsi.berkeley.edu @8.8.4.4
return_false.Aab.netalyzr.icir.org.
67.202.37.63
[gala:~] nweaver%
Is the server somehow remembering that roland.icir.org is also the
authority for .netalyzr.icir.org and using that in its logic to accept
the CNAME?
Alex Nizhner
Dec 18, 2009, 12:08:21 PM12/18/09
to public-dn...@googlegroups.com
Yep, bingo.
Alex
--
========================================================
You received this message because you are subscribed to the Google
Groups "public-dns-discuss" group.
To post to this group, send email to public-dn...@googlegroups.com
To unsubscribe from this group, send email to
public-dns-disc...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/public-dns-discuss?hl=en
For more information on Google Public DNS, please visit
http://code.google.com/speed/public-dns
========================================================
Reply all
Reply to author
Forward
0 new messages