Solved

BIND A record not returning the correct IP, returning an IP for another record...

Posted on 2011-02-15
12
393 Views
Last Modified: 2013-11-13
So we have multiple BIND servers, we have existing zones lets just say for example domain.com, www.domain.com, subdomain1.domain.com that points to 65.65.65.65.

We just added subdomain2.domain.com to go to 70.70.70.70 but when we do a nslookup against that name server it comes back as 65.65.65.65. Two of us have looked at it and we are stumped.
0
Comment
Question by:ThorinO
  • 6
  • 6
12 Comments
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
How odd... response includes the AA flag (authoritative answer)?

And presumably it's not failing to reload the zone? Or returning more than one result?

Chris
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
BIND restarts fine after making the change. When I do the nslookup all it shows me is the IP, I don't see anything about AA at all. There is another A record for webmail.domain.com and that one is a different IP from the other 2 and it works fine so I don't know what the deal is.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
Oh yeah, sorry, nslookup...

nslookup -d2 subdomain2.domain.com.

Trailing . is intentional, it'll stop it appending suffixes to the query.

We're interested in the header flags for any response it gives.

I guess you're sending the query to the name server you modified directly? Not via a resolver?

Chris
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
Ya I was doing nslookup, then "server private ip" then subdomain2.domain.com

I ran the command you listed, what should I be looking for exactly?
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
A section that looks like this:
C:\> nslookup -d2 indented.co.uk. ns1.indented.co.uk

...

Got answer (198 bytes):
    HEADER:
        opcode = QUERY, id = 2, rcode = NOERROR
        header flags:  response, auth. answer, want recursion
        questions = 1,  answers = 1,  authority records = 6,  additional = 2

    QUESTIONS:
        indented.co.uk, type = A, class = IN
    ANSWERS:
    ->  indented.co.uk
        type = A, class = IN, dlen = 4
        internet address = 69.164.211.174
        ttl = 86400 (1 day)
...

Open in new window

If it's returning the A record with an "auth. answer" flag then it got the answer from the server with no intermediate systems interfering.

And if that is the case, it's back to the zone to check for silly things, missing terminating periods (or accidentally included terminating periods) and all that jazz. Oh and wildcard records, because if it's ignoring the current entry we would do well to explain why it's coming back with an answer at all.

Chris

PS if you find the output from nslookup unfriendly, grab dig, either on your Unix / Linux system or the Windows version here: http://members.shaw.ca/nicholas.fong/dig/
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
Below is the output from dig
; <<>> DiG 9.7.1-P2 <<>> @<IP of our NS> subdomain2.domain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52940
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;subdomain2.domain.com.        IN      A

;; ANSWER SECTION:
subdomain2.domain.com. 3600 IN A       Wrong IP

;; AUTHORITY SECTION:
subdomain2.domain.com. 86400 IN NS     ns3.ourns.net.
subdomain2.domain.com. 86400 IN NS     ns1.ourns.net.
subdomain2.domain.com. 86400 IN NS     ns2.ourns.net.

;; ADDITIONAL SECTION:
ns1.ourns.net.         3600    IN      A       Public IP
ns2.ourns.net.         3600    IN      A       Public IP
ns3.ourns.net.         3600    IN      A       Public IP

;; Query time: 16 msec
;; SERVER: 10.0.1.225#53(10.0.1.225)
;; WHEN: Tue Feb 15 13:43:18 2011
;; MSG SIZE  rcvd: 176

Open in new window

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility
Quite adamant, isn't it? :)

Most of the possibilities I can think of at this stage revolve around administrative error. Things like incorrect editing of the zone file, or even editing the wrong zone file. Granted those are pretty simple things, but then, so is DNS really.

Chris
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
The weird thing is we have a 2nd set of DNS servers that we are getting ready to cutover to which have a frontend to edit records. I added this same record to those thinking that it might be an issue with the configuration on the first set and it did the same thing.

The records on the 2nd set were transferred from the first set but I was hoping that it would fix the issue. SO I am at quite a loss right now.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

It all points to an error in the zone file, which is kind of annoying really. I'd ask you to post the zone file (for a third / forth / fifth / ++ set of eyes), but I have to head off to bed now I'm afraid.

Chris
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
OK, figured this out. There is a domain.com zone and a subdomain2.domain.com zone both with A records for subdomain2.domain.com. I deleted the subdomain2.domain.com zone so that the only A record is within the domain.com zone and that resolved the issue.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
Figures :) It was always bound to be something like that, I'm glad you found it :)

Chris
0
 
LVL 10

Author Closing Comment

by:ThorinO
Comment Utility
Thanks
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

The purpose of this article is to demonstrate how we can use conditional statements using Python.
A short article about a problem I had getting the GPS LocationListener working.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now