[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1221
  • Last Modified:

Phantom DNS Records

Some Public Name Servers continue to return a very old IP address Host record (probably from a prvious ISP who hosted the DNS years ago) ...Win Server 2003 SP2 DNS

We have our own DNS Servers. Our domain bluegrotto.com has 2 dnsAuth Name  servers that we operate
ns1.bluegrotto.biz, ns2.bluegrotto.biz.

We had a host named mail.bluegrotto.com which we have taken off all of our DNS servers (at least we think so)..... However, An old IP address (207.87.45.170) for this host (mail.bluegrotto.com) continues to appear if I do a query to many of the public dns servers. I cannot figure out how/where this A record is comming from.....Any clues as to how I can track it down.  I think it may be coming from a previous ISP who hosted the DNS for  the domain a few years ago (but how is that possible).

If I add mail.bluegrotto.com IN A xxx.xxx.xxx.xxx to our name servers it propogates throughout the internet but still a bunch of DNS servers continue to  return the old Ip address (207.87.45.130).

For other hosts in my domain all of the same public servers get their info from our auth Name servers and change and update properly.
Driving me crazy!

An example is nslookup
> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8
> mail.bluegrotto.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8
Non-authoritative answer:
Name:    mail.bluegrotto.com
Address:  207.87.45.130

Win Server 2003 SP2 DNS

Thanks
Charles
0
cbono
Asked:
cbono
  • 11
  • 8
1 Solution
 
shauncroucherCommented:
when you run nslookup type

set d2

then lookup the a record again and see the ttl for th record. what is the ttl (time to live) value set to?

shaun
0
 
cbonoAuthor Commented:
OUr DNS is set to default to 1 hr......
AUTHORITY RECORDS:
-> bluegrotto.com
type = SOA, class = IN, dlen = 63
ttl = 900 (15 mins)
primary name server = ns1.bluegrotto.biz
responsible mail addr = hostmaster.bgtoffice.com
serial = 296
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
 
However on this phantom return it came in at 12 hr
> mail.bluegrotto.com.
Server:  vnsc-bak.sys.gtei.net
Address:  4.2.2.2
------------

Got answer (53 bytes):
    HEADER:
        opcode = QUERY, id = 32, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0
    QUESTIONS:
        mail.bluegrotto.com, type = A, class = IN
    ANSWERS:
    ->  mail.bluegrotto.com
        type = A, class = IN, dlen = 4
        internet address = 207.87.45.130
        ttl = 43200 (12 hours)
------------
Non-authoritative answer:

------------
Got answer (112 bytes):
    HEADER:
        opcode = QUERY, id = 33, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0
    QUESTIONS:
        mail.bluegrotto.com, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  bluegrotto.com
        type = SOA, class = IN, dlen = 63
        ttl = 900 (15 mins)
        primary name server = ns1.bluegrotto.biz
        responsible mail addr = hostmaster.bgtoffice.com
        serial  = 296
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)
------------
Name:    mail.bluegrotto.com
Address:  207.87.45.130
 
At the same time using server 4.2.2.1 I get  the CORRECT response.... 'non-exisitent domain"

> mail.bluegrotto.com.
Server:  vnsc-pri.sys.gtei.net
Address:  4.2.2.1
------------
SendRequest(), len 37
    HEADER:
        opcode = QUERY, id = 29, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0
    QUESTIONS:
        mail.bluegrotto.com, type = A, class = IN
------------
------------
Got answer (112 bytes):
    HEADER:
        opcode = QUERY, id = 29, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0
    QUESTIONS:
        mail.bluegrotto.com, type = A, class = IN
    AUTHORITY RECORDS:
    ->  bluegrotto.com
        type = SOA, class = IN, dlen = 63
        ttl = 900 (15 mins)
        primary name server = ns1.bluegrotto.biz
        responsible mail addr = hostmaster.bgtoffice.com
        serial  = 296
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)
------------
------------
Got answer (112 bytes):
    HEADER:
        opcode = QUERY, id = 30, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0
    QUESTIONS:
        mail.bluegrotto.com, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  bluegrotto.com
        type = SOA, class = IN, dlen = 63
        ttl = 900 (15 mins)
        primary name server = ns1.bluegrotto.biz
        responsible mail addr = hostmaster.bgtoffice.com
        serial  = 296
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)
------------
*** vnsc-pri.sys.gtei.net can't find mail.bluegrotto.com.: Non-existent domain
 
0
 
shauncroucherCommented:
I can see the problem.

It seems to be removed on both name servers as you say and appears on at least one public name server.

When did you remove mail.xxxxx from your name servers?

As you say, other 'A' records have a value of 1hr, but do you know what the TTL was on mail.xxxx, perhaps it had a very high value, such as days or weeks and this is why it remains?

Shaun

 
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
cbonoAuthor Commented:
I hear and understand what you are saying.

But it has been months if not a year since it has been 207.87.45.130!!
but the
207.87.45.130 keeps showing up from various public Name servers.

We cannot figure out where it is coming from.

Maybe this is a dumb question. ...Is it possible that an old DNS service (like network solutions) still thinks its the NS of record and has a "rogue" entry that has never been removed.???? No other hosts names that we use have this issue (as far as we can tell).
0
 
shauncroucherCommented:
I don't see how, DNS just doesn't work that way.

When a computer needs to find a record in your zone, they will see if they have it cached, and cached records may be returned from any server in the chain (if the person has forwarded configured for example).

If they don't have forwarders configured and they don't have a cached record, they will go query the root servers, then TLD servers, until eventually they will find your server published as the name server.

Shaun
0
 
cbonoAuthor Commented:
I agree...that's why I am going crazy.... We cannot trace where this old record keeps surfacing from.

I have torn my DNS's records apart ..... including seeing if the firewall that proxies the DNSs for some reason is spitting old info out.....

Look at the simple nslookup below.... notice how the first time i run it it spits out 207.87.45.130...and then a second later it says it does not exist......It makes no sense....after about 20 minutes or so I can repeat the expirenment....

C:\Windows\System32>nslookup
Default Server:  UnKnown
Address:  192.168.1.10
> server 4.2.2.1
Default Server:  vnsc-pri.sys.gtei.net
Address:  4.2.2.1

> mail.bluegrotto.com.
Server:  vnsc-pri.sys.gtei.net
Address:  4.2.2.1
Non-authoritative answer:
Name:    mail.bluegrotto.com
Address:  207.87.45.130

> mail.bluegrotto.com.
Server:  vnsc-pri.sys.gtei.net
Address:  4.2.2.1
*** vnsc-pri.sys.gtei.net can't find mail.bluegrotto.com.: Non-existent domain
>
0
 
shauncroucherCommented:
I have noticed that your second ns server ns2.bluegrotto.biz does not return the IP of one of your 'A' records - mail1.bluegrotto.com whereas ns1.xxx does return a result.

The nslookup error is SendRequest failed

Shaun
0
 
cbonoAuthor Commented:
It will now....just had the service off while debugging this mess....
Thanks for the heads up!!!
0
 
shauncroucherCommented:
I just can't see anything wrong with your configuration. It all seems to be configured correctly. It is very strange, maybe other experts here may know more...

Shaun
0
 
cbonoAuthor Commented:
Thanks for the effort......I am completely puzzled by it....I keep hoping to find some old DNS server in our network  that I forgot about....but its not happening....
0
 
cbonoAuthor Commented:
Here is something completely puzzleing...The Root Servers seem to be returning 207.87.45.130 for a mail.bluegrotto.com query instead of pointers to the Domain's AUTH Name Servers...look what happens when I nslookup directly to I.GTLD-SERVERS.NET (192.43.172.30 ).

Nslookup
> server 192.43.172.30    
(root)  nameserver = c.root-servers.net
(root)  nameserver = l.root-servers.net
(root)  nameserver = i.root-servers.net
(root)  nameserver = d.root-servers.net
(root)  nameserver = b.root-servers.net
(root)  nameserver = k.root-servers.net
(root)  nameserver = m.root-servers.net
(root)  nameserver = h.root-servers.net
(root)  nameserver = g.root-servers.net
(root)  nameserver = f.root-servers.net
(root)  nameserver = e.root-servers.net
(root)  nameserver = j.root-servers.net
(root)  nameserver = a.root-servers.net
......
Default Server:  [192.43.172.30]
Address:  192.43.172.30
> mail.bluegrotto.com
Server:  [192.43.172.30]
Address:  192.43.172.30
Non-authoritative answer:
Name:    mail.bluegrotto.com
Address:  207.87.45.130

> mail1.bluegrotto.com
Server:  [192.43.172.30]
Address:  192.43.172.30
Name:    mail1.bluegrotto.com
Served by:
- ns1.bluegrotto.biz
          bluegrotto.com
- ns2.bluegrotto.biz
          bluegrotto.com
0
 
cbonoAuthor Commented:
So I have it narrowed down to this.... Why would the .COM Root servers (a thru j.gtld-servers.net return an IP address for mail.bluegrotto.com instead of the addresses for the AUTHORIZED Nameservers for the domain bluegrotto.com.

This is not supposed to happen from what I understand.....But since it does it explains a lot.....

This is my theory of what is happening .....
1- A public DNS Server queries for mail.bluegrotto.com and improperly gets an old IP address (207.87.45.130) from the Root Domain Servers instead of the AUTHorized NAme Server addresses
2- If another host at bluegrotto.com is quieried for... the public DNS now gets the proper AUTH name servers are from then on handle look ups properly
         * then for a while the public DNS may actually go to the correct Auth Servers (NS1,NS2) and get the proper information for mail.bluegrotto.com
0
 
shauncroucherCommented:
As mad as it sounds (as it just doesn't seem likely), I came to the exact same conclusion. I can't explain why it is offering this invalid IP for the mail record. It is bizarre.

Be great if some true DNS gurus could assist on this. I'll keep my eyes peeled.

Shaun
0
 
cbonoAuthor Commented:
Agreed........but it explains alot.

From everything I know
The each .COM root name server is !!ONLY!! supposed to return the IP address of the Name Servers servicing the domian.  In this case it seems not to be.....which is impossible!    ARRRGH!
0
 
shauncroucherCommented:
Yes, quite, my understanding exactly. The idea of the TLD servers is to provide the NS for each domain in question. It does seem really strange as the servers will provide an answer if you query for the 'A' record of mail.bluegrotto.com.

> set q=a
> mail.bluegrotto.com
Server:  k.gtld-servers.net
Address:  192.52.178.30

Non-authoritative answer:
Name:    mail.bluegrotto.com
Address:  207.87.45.130

> set d2
> mail.bluegrotto.com
Server:  k.gtld-servers.net
Address:  192.52.178.30

------------
SendRequest(), len 37
    HEADER:
        opcode = QUERY, id = 8, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        mail.bluegrotto.com, type = A, class = IN

------------
------------
Got answer (103 bytes):
    HEADER:
        opcode = QUERY, id = 8, rcode = NOERROR
        header flags:  response, want recursion
        questions = 1,  answers = 1,  authority records = 2,  additional = 0

    QUESTIONS:
        mail.bluegrotto.com, type = A, class = IN
    ANSWERS:
    ->  mail.bluegrotto.com
        type = A, class = IN, dlen = 4
        internet address = 207.87.45.130
        ttl = 172800 (2 days)
    AUTHORITY RECORDS:
    ->  bluegrotto.com
        type = NS, class = IN, dlen = 20
        nameserver = ns1.bluegrotto.biz
        ttl = 172800 (2 days)
    ->  bluegrotto.com
        type = NS, class = IN, dlen = 6
        nameserver = ns2.bluegrotto.biz
        ttl = 172800 (2 days)

------------
Non-authoritative answer:
Name:    mail.bluegrotto.com
Address:  207.87.45.130

>

Funny thing is, it still knows the authority is your .biz servers, but it still has a record there that it provides to people with a 2 day TTL. Where on each is it getting this information from? W

It might be worth speaking with the registrar of your .com domain and see if they are able or willing to help shed any light?

Shaun
0
 
cbonoAuthor Commented:
It is godaddy now...I think this things goes back a few years to Network Solutions....That IP address/HostName goes back to 1995....... and Network Solutions used to do the DNS for us.

I will keep you posted.

I think this guy had a similar problem in 2002
https://lists.isc.org/pipermail/bind-users/2002-May/039161.html
0
 
cbonoAuthor Commented:
Got it !!!!!....  Called Godaddy.... For the Domain they have a setting called  "hosts"....It's meant to for the DNS host names ...and bingo there it is....It is in a different place from where you tell it your Autorized Name Servers....

So going to TLD and asking for mail.bluegrotto.com... TLD thought the query was for  the valid NameServer Host so it returned the IP address....

They were imported from Network Solutions 4 years ago when we transfered Registrars... I never even saw them before as the are in the bottom corner of the page

Now I am on the next set of issues...Its not letting me delete them!
12-17-2009-2-50-20-PM.png
0
 
cbonoAuthor Commented:
Was a great asset in helping follow and debug the issue
0
 
shauncroucherCommented:
Hi,

Thanks for letting me know, the mystery is solved! What a nightmare!

Glad I could help a bit there,

Shaun
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 11
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now