[Smaug] Forensics on SVLUG's DNS

Rick Moen rick at linuxmafia.com
Wed Nov 30 21:06:17 PST 2005


I wrote:

> If people have any interest, I can point out how badly other local 
> Linux groups' DNS / domain records are screwed up, in comparison.  ;->

Let's consider Silicon Valley Linux User Group, relevant to Smaug
because they kindly host our mailing list for us, at lists.svlug.org.
And let's go straight for the gold, and compare nameserver records at
.ORG (parent zone) versus those in the svlug.org domain's own zonefile:


  ~ $ dig -t ns svlug.org @tld6.ultradns.co.uk  #per parent zone's zonefile
  [...]
  ;; AUTHORITY SECTION:
  svlug.org.              86400   IN      NS      ns2.merlins.org.
  svlug.org.              86400   IN      NS      ns1.merlins.org.
  svlug.org.              86400   IN      NS      nimbus.thunder.net.
  svlug.org.              86400   IN      NS      cumulus.thunder.net.

  ;; ADDITIONAL SECTION:
  ns1.merlins.org.        86400   IN      A       209.81.13.136
  NS2.MERLINS.ORG.        172800  IN      A       204.80.101.251
  [...]

  ~ $ dig -t ns svlug.org @ns1.merlins.org      #per svlug.org's own zonefile
  [...]
  ;; ANSWER SECTION:
  svlug.org.              36      IN      NS      ns1.merlins.org.
  svlug.org.              36      IN      NS      ns2.merlins.org.
  svlug.org.              36      IN      NS      nimbus.thunder.net.
  svlug.org.              36      IN      NS      cumulus.thunder.net.

  ;; ADDITIONAL SECTION:
  ns1.merlins.org.        60      IN      A       209.81.13.136
  ns2.merlins.org.        60      IN      A       68.166.220.119
  nimbus.thunder.net.     3374    IN      A       209.142.3.6
  cumulus.thunder.net.    3374    IN      A       64.71.149.18
  [...]

Note:  "ns2.merlins.org" is 204.80.101.251 in one place, but
68.166.220.119 in the other.

And let's look up the missing glue ("A") records at one of .NET's
nameservers (k.gtld-servers.net) for "cumulus", and compare the "A"
records for that same host, in its domain's zonefile.

  ~ $ dig cumulus.thunder.net @k.gtld-servers.net  #cumulus per its parent zone
  [...]
  ;; ANSWER SECTION:
  cumulus.thunder.net.    172800  IN      A       64.71.149.18

  ~ $ dig cumulus.thunder.net @cumulus.thunder.net #cumulus per its own 1st NS
  [...]
  ;; ANSWER SECTION:
  cumulus.thunder.net.    131555  IN      A       64.71.149.18

  ~ $ dig cumulus.thunder.net @nimbus.thunder.net #cumulus per its own 2nd NS
  [...]
  ;; ANSWER SECTION:
  cumulus.thunder.net.    43200   IN      A       66.245.252.113



Analysis:  Right away, we have problems.

1.  Wrong IP addresses in the authoritative (top-level domain) records
for "ns2.merlins.org" and in "cumulus's" own local zonefile.  Therefore,
queries for svlug.org's NS records will _fail_ if they happen to go down
those paths.


  ~ $ dig svlug.org @66.245.252.113    #at cumulus (per cumulus)
  [...]
  ;; connection timed out; no servers could be reached

  ~ $ dig svlug.org @204.80.101.251   #at ns2.merlins.org (per .ORG nameserver)
  [...]
  ;; connection timed out; no servers could be reached



2.  Missing glue records.  Trying to add .NET nameservers' names
directly to a .ORG zonefile is very sub-optimal:  Even aside from the
wrong-IP problem, such NS queries result to .ORG in a second follow-up
"A" query having to be made to .NET's nameservers -- on account of lack
of glue records at .ORG.

By contrast, creating NS and A records _within_ svlug.org (e.g.,
NS1.SVLUG.ORG and NS2.SVLUG.ORG) pointing to "nimbus's" and "cumulus's"
IPs averts that second lookup, since the data will be autofurnished
as glue when NS info gets sent.  Two lookups for the price of one.

Here's a snippet for svlug.org's zonefile that would do that.  (One
would want to place it in the "@" section.)

                  IN      NS      ns1.svlug.org.
                  IN      NS      ns2.svlug.org.
  ; ns1 is aka nimbus.thunder.net
  ns1             IN      A       209.142.3.6
  ; ns2 is aka cumulus.thunder.net
  ns2             IN      A       64.71.149.18

As always, one would want to change the parent zone records (at the
domain registrar) to match.



3.  Last, the reverse DNS ("PTR" record) for SVLUG's sole MX (mail
exchanger) is slightly wrong -- though this isn't fatal:

  ~ $ dig -t mx svlug.org +short   #What's mail exchanger's name?
  10 svlug.org.
  ~ $ dig svlug.org +short         #And its address?
  216.218.255.178
  ~ $ dig -t ptr 178.255.218.216.in-addr.arpa +short  #And the IP's reverse?
  svlug.svlug.org.

RFC RFC1912 urges valid reverse DNS for all mail exchangers.  It doesn't 
_require_ that reverse and forward names match, but it's a good idea, 
and SVLUG could do this but doesn't.


In short, Smaug does DNS a _lot_ better, even using theoretically one
fewer nameserver.  Ours actually exist, are reachable, and give correct
results.  ;->

-- 
Cheers,             
Rick Moen                 "Anger makes dull men witty, but it keeps them poor."
rick at linuxmafia.com                                   -- Elizabeth Tudor



More information about the Smaug mailing list