[conspire] (forw) [TAG] How not to do DNS, example n+1

Rick Moen rick at linuxmafia.com
Mon Nov 21 19:03:50 PST 2005


I think I mentioned that how my domain came to be owned by "Linux Mafia" 
was an interesting story.  Well, it's included below:

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Mon, 21 Nov 2005 18:15:04 -0800
To: tag at lists.linuxgazette.net
From: Rick Moen <rick at linuxmafia.com>
Reply-To: The Answer Gang <tag at lists.linuxgazette.net>
Subject: [TAG] How not to do DNS, example n+1

I've been getting a number of these failure notices, indicating that 
subscriber Faber Fedor has problems, every time someone posts to tag@:

----- Forwarded message from Mail Delivery System <Mailer-Daemon at linuxmafia.com> -----

From: Mail Delivery System <Mailer-Daemon at linuxmafia.com>
To: tag-bounces at lists.linuxgazette.net
Subject: Mail delivery failed: returning message to sender
Date: Mon, 21 Nov 2005 16:36:54 -0800

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  faber at linuxnj.com
    Unrouteable address

------ This is a copy of the message, including all the headers. ------

[Snip Jason Creighton's recent tag@ post.]

----- End forwarded message -----


  [rick at linuxmafia]
  ~ $ ping linuxnj.com
  ping: unknown host linuxnj.com

OK, so his host in unping-able.  Let's see if we can look up where his
domain's mail exchangers (MXes) are:

  [rick at linuxmafia]
  ~ $ dig -t mx linuxnj.com +short

  ; <<>> DiG 9.3.1 <<>> -t mx linuxnj.com
  ;; global options:  printcmd
  ;; connection timed out; no servers could be reached
  [rick at linuxmafia]
  ~ $

Hm, that looks a bit dire.  Notice it doesn't say merely that no MX
records could be found:  It says that the domain's DNS couldn't be
looked up at all.  Let's look at the domain's "whois" records directly,
to see where its nameservers are:

  [rick at linuxmafia]
  ~ $ whois linuxnj.com | more
  [...]
      Domain Registrant: TOTALNIC-107412 (REGISTRANT at LINUXNJ.COM)
      Fedor, Faber
       
      28 Dewey Lane
      Glen Gardner NJ 08826
      US
  [...]
     Name Server: NS1.LINUXNJ.COM
     Name Server: NS2.LINUXNJ.COM

     Domain creation date: 2002-01-28 04:07:12.0
     Domain expiration date: 2008-01-24 22:01:47.0

  [rick at linuxmafia]
  ~ $ 

OK, so what's up (or down, as the case may be) with Faber's two
nameservers?

  [rick at linuxmafia]
  ~ $ host NS1.LINUXNJ.COM
  ;; connection timed out; no servers could be reached
  [rick at linuxmafia]
  ~ $ host NS2.LINUXNJ.COM
  ;; connection timed out; no servers could be reached
  [rick at linuxmafia]
  ~ $ 

Well, that's really bad.  Let's see if we can get that information by
asking the authoritative servers at the parent (.COM) domain:

  [rick at linuxmafia]
  ~ $ dig -t ns linuxnj.com @m.gtld-servers.net 

  ; <<>> DiG 9.3.1 <<>> -t ns linuxnj.com @m.gtld-servers.net
  ; (1 server found)
  ;; global options:  printcmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4225
  ;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

  ;; QUESTION SECTION:
  ;linuxnj.com.                   IN      NS

  ;; ANSWER SECTION:
  linuxnj.com.            172800  IN      NS      ns1.linuxnj.com.
  linuxnj.com.            172800  IN      NS      ns2.linuxnj.com.

  ;; ADDITIONAL SECTION:
  ns1.linuxnj.com.        172800  IN      A       66.187.137.76
  ns2.linuxnj.com.        172800  IN      A       66.187.137.76

  ;; Query time: 321 msec
  ;; SERVER: 192.55.83.30#53(192.55.83.30)
  ;; WHEN: Mon Nov 21 16:56:52 2005
  ;; MSG SIZE  rcvd: 97

  [rick at linuxmafia]
  ~ $

Those two "A" records are what are called "glue" records:  They are
additional information returned that I didn't actually ask for, designed
to assist queries in either one of two situations:

1 (the general case):  The "NS" query came from a caching nameserver, which, 
if it weren't sent the "glue" IP-address information, would have had to 
immediately follow up the NS query with matching "A" queries to get
those nameservers' IP addresses.  Thus, the main purpose of glue records
is to speed up DNS cache performance by eliminating the need for
follow-up queries.

2 (special case):  In the relatively rare event when a nameserver's name
is _in_ the domain about which it serves information, the glue record 
averts a showstopper chicken-and-egg problem.  E.g., because N1.LINUXNJ.COM 
has its name _inside_ the LINUXNJ.COM domain it serves information for, 
nameservers needing informaiton about LINUXNJ.COM names would otherwise 
need to know how to resolve the domain before determinining how to
resolve the domain.  Thus, the secondary purpose of glue records is to 
make in-domain nameservers possible.

I mentioned Faber having two nameservers -- but a close look at those
"A" records reveals that both NS1 and NS2 point to the same underlying
IP address.  So, it appears that there's only one machine.  And...

  [rick at linuxmafia]
  ~ $ dig linuxnj.com @66.187.137.76 +short
  ;; connection timed out; no servers could be reached
  [rick at linuxmafia]
  ~ $ 

...it's not responding.


A brief historical note about quantity of nameservers:  Back in dinosaur
days, the InterNIC _enforced_ a required minimum of two nameservers.
That is, when you attempted to register a new domain, you had to supply 
two IPs that you claimed to be functional nameservers for the fledgeling
domain.  The InterNIC then ran a script to verify that those IPs were
reachable on port 53 (DNS) and returned meaningful information to
nameservice queries.  The intent, of course, was to ensure that you had
at least a bare minimum amount of redundancy -- or, to put it another
way, that a single nameserver machine was not a single point of failure.

Spotting and curing single points of failure is one of the cardinal
rules of the sysadmin profession.  Another is ensuring "out-of-band"
means of communication, where useful.  (That is why nome of my domain
contacts for domain linuxmafia.com have e-mail addreses _within_
linuxmafia.com:  I want to make sure that mails saying "Dude, your
domain is unreachable" can reach me.)

Up until mid-1998, my main Internet machine was known as
"hugin.imat.com", at which point Penguin Computing staffers Nick Moffitt
and Eureka Endo kindly prevailed upon CEO Sam Ockman to purchase
"linuxmafia.com" for me as a gift.  The gift was much appreciated, but I
noticed that the nameservice had a bad habit of intermittantly failing
for periods of time.  On Nov. 3, 1998, the nameservice failed
completely, and I noticed that the two nameservers,
NS1.PENGUINCOMPUTING.COM and NS2.PENGUINCOMPUTING.COM, were on
consecutive IP addreses:  

http://jhauser.dyndns.org:8080/archives/html//svlug/1998-11/msg00103.html

My guess at the time was that both IPs were on the same LAN inside the
same network operations centre (NOC), and some common-mode failure had
struck them, e.g., a router problem.  I didn't want to seem ungrateful
for Sam's gift, but that seemed to reflect poor planning, especially
since his entire company also dropped off the Internet for the same
several-day outage period.  (Later private inquiries revealed that the
situation was actually worse:  It was actually a _single_ rackmount
server with two IP addresses assigned to its single ethernet port via
Linux IP aliasing, in order to fool the InterNIC script.)

A couple of telephone calls to Sam revealed that he and his firm were
aware of the outage, and were driving down to visit the NOC.  Implicit
in his comments was the assumption that his DNS setup was basically OK; 
that he'd just suffered an unfortunate hardware outage.  I politely and 
silently disagreed with that assumption, and so set myself the task of
"stealing" my domain from him.

I put the scare quotes on "stealing" because the domain had very
explicitly been intended as a gift -- and not in the Sméagol/Gollum sense
of the word, either.  However, Sam had (unintentionally) reserved both
literal ownership and control to himself, in the way he registered the
domain.  This turns out to be _very common_ when you allow someone else
to register a domain on your behalf, so I wanted to alert everyone to
the syndrome.

That is, Sam had allowed the all-important "Registrant" field to default
to himself, for starters.  In domain jargon, the Registrant is regarded
as the legal owner.  During this period (1998), a faxed, signed letter on
letterhead from Registrant to the InterNIC could replace the Technical
and Adminstrative contacts (those regarded as having functional
control), over their objections, and could transfer the domain to new
owners.  (More recently, there are much more convoluted requirements,
including notarising.)

Sam, in addition, had listed his name, his old Stanford University
e-mail address, and his relatives' telephone number as the Technical and
Administrative contacts -- at none of which he could actually be
reached, by the way.  So, in theory, only he could change anything
at all about the domain, including adding additional (or substitute)
nameservers -- which was my immediate objective.

So, I crafted a series of forged e-mails, purporting to be from Sam's
ockman at cs.stanford.edu address, sending the necessary filled-out InterNIC
domain-change templates to hostmaster at internic.net .  At that time, only
weak authentication was in place, consisting of "Do you object to this
change?" automated mails to the claimed sender.  Since Sam wasn't
bothering to check his Stanford mail, he didn't even see these, and my
changes to Technical and Administrative addresses went through 24 hours
later, giving me functional control.

At that point, I was able to fix the DNS by _removing_
NS1.PENGUINCOMPUTING.COM and its putatively separate (but merely
IP-aliased) NS2 doppelganger, and substituting _reliable_ and actually 
distinct namesevers in their place.  As the last step, I transferred the
domain away from Network Solutions to Domain Discover of San Diego (as
registrar) -- and discovered to my delight that they had changed the
Registrant field from Sam Ockman to "Linux Mafia" -- which I had not
expected, but was a serendipitous bonus.

I have some really rather bizarre letterhead in mind, if I ever have to
wield Registrant authority.  


Back to Faber.  Having only two nameservers is risky.  Having only two
that live on the same LAN is a bit riskier.  Having both be the same
underlying machine is really pushing your luck.

One of the valuable services many of us can provide to our fellow Linux 
enthusiasts is backup DNS.  I've just talked to Faber by telephone, and
he's been having damned bad luck with his system's boot sector.  Wish
him luck!  When his machine is back online, I'll be (gladly) helping him
out with backup nameservice.

+-+--------------------------------------------------------------------+-+
You've asked a question of The Answer Gang, so you've been sent the reply
directly as a courtesy.  The TAG list has also been copied.  Please send
all replies to tag at lists.linuxgazette.net, so that we can help our other
readers by publishing the exchange in our monthly Web magazine:
              Linux Gazette (http://linuxgazette.net/)
+-+--------------------------------------------------------------------+-+
_______________________________________________
TAG mailing list
TAG at lists.linuxgazette.net
http://lists.linuxgazette.net/mailman/listinfo/tag

----- End forwarded message -----




More information about the conspire mailing list