Re: major DNS hiccup

Thanks for the diagnosis. I've put some notes on the missing bits (only missing because the trace seemed too long anyway) from the binary dump file.

Per Hedeland wrote:
In article <8WJug.7561$i32.3378@xxxxxxxxxxxxxxxxxxxx> Mike Scott
<usenet.10@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> writes:
OK, I've come back to this at last. Hoping it might have gone away as suddenly as it arrived; but no such luck :-(

I ran 'dig' to look up the address of one of the always-failing names. 'dig' output plus ethereal diagnosis follow. named running as caching nameserver on localhost.

"Interesting" stuff - IMHO it's quite clear that your ISP is messing
things up with some sort of "transparent" filter/proxy/cache/firewall -
it might be specifically b0rken where EDNS0 is concerned, while their
"normal" name servers can deal with that one way or another (as they
should) - but it's not really conclusive that this is the trigger.
Unfortunately your ethereal output was missing some parts, notably
details of the "additional records", but they can be guessed...

The 'additional record' in the query (sorry, should have been included) was specifying the EDNS0 option, also had a DNSSEC bit set.

....
But here comes the real brokenness - the reply to this query is
non-authoritative, has no error but no answers either, but has authority
records:

No. Time Source Destination Protocol Info
6 11:32:48.355006 194.74.151.194 86.22.67.158 DNS Standard query response


Flags: 0x8080 (Standard query response, No error)

Questions: 1
Answer RRs: 0
Authority RRs: 2

The authority records weren't shown, but a fair guess is that they were
the two "proper" NS records, one of which is for the very server
purportedly sending this response. This is the signature of a "lame
delegation", and named would normally log that (but it can be turned off
IIRC).

They named the two 'yell' nameservers, redgate and redgate2.yellowpages.co.uk, as you surmise.

Odd about the logging - I currently only get minimal logging, using the default logging configuration.

....
Anyway, for me this clearly proves that your ISP is at fault - whether

I'm not sure whether that's good news or bad :-)

it is proof enough for them I have no idea. They could e.g. claim that
your named sends some broken stuff while mine doesn't - but then there
was the other poster here that had success with the exact same setup
that failed with your ISP when he switched to another ISP.

Out of curiosity, I tried traceroute -p 53 to one of the root nameservers. The hypothesis was that if ntl have put some sort of transparent cache into place, this /ought/ not to reach the root server - maybe! In fact, it did eventually, but only after some very long delays; I'm not sure a one-off proves much anyway - perhaps some further thought along those lines might give an indicator (eg craft a traceroute-like thing that sends a genuine dns query, and sees where it reaches. Maybe I could hack the traceroute sources).

Thanks for the patch. I'm not sure it'll help though - I'm almost sure the other nameserver I tried from the ports (the name /still/ escapes me, and the PC is turned off right now) explicitly does not support EDNS - and that returns the same symptoms as BIND does. But I'll give it another look.

One 'evil' thought might be to contact the operators of the failing domains and tell them (some) ntl users can't get through and why.....

--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)
.

Relevant Pages

  • To catch a hacker!!!
    ... It skips about 8 months of logging. ... There is just the 8 months of data missing. ... It then jumps to 1/25/05 with NO reference to deletion by admin. ... entries for this timeframe to cover up some things, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: To catch a hacker!!!
    ... If this guy did gain access to the admin account and turn off logging you ... It skips about 8 months of logging. ... There is just the 8 months of data missing. ... > password using a bootable cdrom (after resetting the BIOS password and ...
    (microsoft.public.windowsxp.security_admin)
  • Re: recently diagnosed with ms 19
    ... a creek (and we are all up it missing paddles!) ... in much worse shape than me some with a diagnosis and some without. ...
    (alt.support.mult-sclerosis)
  • Re: PING : Bill / Stacey etc
    ... Unless I'm missing something, ... Diagnosis over Usenet is bound to fail. ...
    (alt.internet.search-engines)
  • Re: Possible hack?
    ... It then jumps to 1/25/05 with NO reference to deletion by admin. ... changed the admin password and did what he wanted between the dates missing, ... Logging is ok for the way we want to track it and its not an issue of being ... > its own log files if the required logging time has been exceeded or if the ...
    (microsoft.public.windowsxp.security_admin)