[Smaug] Access to scruz.org was DNS problem.

Rick Moen rick at linuxmafia.com
Wed May 18 16:49:29 PDT 2011


I wrote:

> I've created /etc/cron.weekly/smaug based on the prototype I created 
> earlier.  Output is a bit peculiar and hard to read:  The dig command
> tries the nameservers a couple of times each.

Well, not exactly.  It's rather that the error output, when a nameserver
gives a fail result, is getting badly parsed by awk attempting to pluck 
out field #3, which is ordinarily the S/N field.

Let's look at specifics on each of the four failing nameservers.



1.  Eric Cain's ns2.scruz.org, AKA ns1.phosphor.net, which we had as IP
address 207.7.137.130:

 $ dig -t soa scruz.org. @NS2.SCRUZ.ORG
 ;; connection timed out; no servers could be reached
 $ 

Adding the '+short' flag, you still get the same output.

Did Eric move his nameserver to a new IP, and just _fail to tell us_?

 $ host NS1.PHOSPHOR.NET.
 NS1.PHOSPHOR.NET has address 38.102.132.186
 $

Yes.  Son of a bitch.  That's what happened.  We set up 'ns2.scruz.org'
pointing to his then-IP of 207.7.137.130, and added that to the roster
of authoritative nameservers for scruz.org.  Later, he moved his
nameserver to new IP address 38.102.132.186 _and didn't tell us_.

Is the new IP still willing to serve scruz.org's DNS?

  $ dig -t soa scruz.org. @NS1.PHOSPHOR.NET.
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 31411
  ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
  ;; WARNING: recursion requested but not available

No.  Notice the 'status: REFUSED', which is typically what you get when
a sysadmin totally forgets about his commitment to do secondary DNS for a
domain and fails to preserve the configuration to do so.  Essentially,
Eric's nameserver is saying 'Why are you asking me about that domain?  I
don't do that domain.  Go away.'


2.  David A. Gatwood's  ns3.scruz.org, AKA ns.infiniteloopfilms.com,
which we had as IP 68.165.1.187:

Is the nameserver still reachable at that IP, and is it still willing to
serve scruz.org DNS?

 $ dig -t soa scruz.org. @NS3.SCRUZ.ORG.
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 32801
 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
 ;; WARNING: recursion requested but not available
 $

Yes, and no, respectively:  Secondary nameservice for us shut off
without bothering to tell us.

Adding the '+short' flag causes...

 $ dig -t soa scruz.org. @NS3.SCRUZ.ORG. +short
 $

...null output.  That's why there's no line in the report for David's
nameserver, which is a design flaw in my script.  Eventually, I'll
figure out how to work around that, because it'd be nice if the 
report has a 'Hey, this one is unexpeectely refusing the query' instead
of relying one the reader to notice a line being missing.


3.  Paul Hall's ns4.scruz.org, IP 74.95.202.57:

We've heard briefly from Paul.  It sounds like he's on the road (writing
from his smartphone).  Maybe more later.  

 $ dig -t soa scruz.org. @NS4.SCRUZ.ORG.       
 ;; connection timed out; no servers could be reached
 $

Same story as with Eric, except I have no obvious way of determining
what new IP he might have moved his nameserver to.  Or it's possible
he shut down his nameserver at IP 74.95.202.57, and stopped doing
nameservice _entirely_.  Anyway, there's no more nameserver at that IP.


4.  Max Baker's ns5.scruz.org, AKA ns.portalpotty.net, which we had as
IP address 64.34.174.102:

 $  dig -t soa scruz.org. @NS5.SCRUZ.ORG.
 ;; connection timed out; no servers could be reached
 $

No nameserver at the IP he told us to use, 64.34.174.102.  We pointed
ns5.scruz.org to IP 64.34.174.102, and made that authoritative.  Did he
move ns.portalpotty.net to a different IP and neglect to tell us?

 $ host ns.portalpotty.net
 ns.portalpotty.net is an alias for portalpotty.net.
 portalpotty.net has address 209.237.247.49
 portalpotty.net mail is handled by 0 portalpotty.net.
 $

Yes.   Is the new IP still willing to serve scruz.org nameservice?

 $ dig -t soa scruz.org. @ns.portalpotty.net.
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 1432
 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
 ;; WARNING: recursion requested but not available
 $

No.  


I've added 209.237.247.49 (Max Baker's new IP) and 38.102.132.186 (Eric
Cain's new IP) to the master nameserver's allow-transfer ACL for this
domain, and restarted my nameserver to implement the change.  But I
still get 'REFUSED' for both, so Eric and Max will need to re-enable.

I've just heard from Max in private mail.  Will advise.


Anyway:  
(1) If you're doing secondary nameservice and move your nameserver to a
new IP, inform the primary.

(2) If you decide to suddenly stop doing secondary nameservice, inform
the primary.

Summary:
Eric Cain's ns2.scruz.org, AKA ns1.phosphor.net: new IP, disabled svc.
David A. Gatwood's ns3.scruz.org, AKA ns.infiniteloopfilms.com: disabled svc.
Paul Hall's ns4.scruz.org, IP 74.95.202.57: shut down, new IP unknown
Max Baker's ns5.scruz.org, AKA ns.portalpotty.net: new IP, disabled svc.

All without heads-up.




More information about the Smaug mailing list