[conspire] Dept. of practicing what one preaches

Rick Moen rick at linuxmafia.com
Tue Oct 5 11:48:21 PDT 2021


One of Farcebook's biggest blunders yesterday (from among a long list)
was putting all authoritative DNS eggs one ASN basket.  Long ago, I 
made very sure I was not doing likewise, but it's useful to re-check.

Public whois server whois.cymru.com will return AS numbers given IPs
(Yay, Wales!), so let's use that for my primary auth nameserver,
ns1.linuxmafia.com

$ whois -h whois.cymru.com " -v $(dig ns1.linuxmafia.com. +short)"
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name
7922    | 96.95.217.99     | 96.64.0.0/11        | US | arin     | 2008-02-21 | COMCAST-7922, US
$

Fabulous.  Now, let's get fancy.  The actual authority for my five
authoritative nameservers derives from the "glue" NS records in the
parent zone. "com.", returned in the "Authority section".

$ dig NS linuxmafia.com @b.gtld-servers.net.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53270
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; AUTHORITY SECTION:
linuxmafia.com.         172800  IN      NS      ns1.linuxmafia.com.
linuxmafia.com.         172800  IN      NS      ns.primate.net.
linuxmafia.com.         172800  IN      NS      ns.tx.primate.net.
linuxmafia.com.         172800  IN      NS      ns3.linuxmafia.com.
linuxmafia.com.         172800  IN      NS      ns6.linuxmafia.com.

;; ADDITIONAL SECTION:
ns1.linuxmafia.com.     172800  IN      A       96.95.217.99
ns3.linuxmafia.com.     172800  IN      A       107.204.234.170
ns6.linuxmafia.com.     172800  IN      A       209.205.200.166
$


We'll want to parse out those NS lines, and then resolve them to IPs
using dig.  Doing a little shell tweaking:

$ dig NS linuxmafia.com @b.gtld-servers.net. | grep NS | awk '{print $5}' | grep -v QUERY | xargs dig +short
96.95.217.99
198.144.194.12
72.249.38.88
107.204.234.170
209.205.200.166 
$


Right.  Now, last bit, I try to show off by feeding those to
whois.cymru.com.  There's some annoying error I'm still making in the
parsing (such that whois fails to query about IP 96.95.217.99, about 
which see above), but the whois results _definitely_ show that I'm not 
committing Farcebook's network-administrative  mistake that brought me
so much schadenfreude yesterday:

$ dig NS linuxmafia.com @b.gtld-servers.net. | grep NS | awk '{print $5}' | grep -v QUERY | xargs dig +short | xargs -0 whois -h whois.cymru.com " -v '{}'"
Error: no ASN or IP match on line 1.
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name
7961    | 198.144.194.12   | 198.144.192.0/19    | US | arin     | 1999-03-17 | RBC, US
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name
36024   | 72.249.38.88     | 72.249.36.0/22      | US | arin     | 2006-08-25 | AS-TIERP-36024, US
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name
7018    | 107.204.234.170  | 107.192.0.0/12      | US | arin     | 2012-04-25 | ATT-INTERNET4, US
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name
55081   | 209.205.200.166  | 209.205.192.0/19    | US | arin     | 2013-06-20 | 24SHELLS, US
$

So, there's my answer:  Five authoritative nameservers, comprising five
network-diverse autonomous system numbers.  Good.

(If any frightfully clever xargs user can spot and remedy my scripting
error, I would be obliged.)



More information about the conspire mailing list