View previous topic :: View next topic |
Author |
Message |
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9645 Location: almost Mile High in the USA
|
Posted: Sat Dec 11, 2021 4:50 pm Post subject: dpaste.com ... anything weird about its dns entry? |
|
|
Well, I somehow configured my machine to break when trying to look up dpaste.com. My convoluted DNS (caching named/bind server with local reverse dns lookups) breaks when trying to look up dpaste.com. It times out and SERVFAILs the request.
However it works fine for all other hosts that I throw at it. And I use a different DNS server it works, but those DNS servers do not reverse resolve my LAN hosts...
Might have to pull out the shark to see if it's even trying to do the lookup, but anyone see anything unusual about dpaste.com ? _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3875
|
Posted: Sat Dec 11, 2021 4:59 pm Post subject: |
|
|
This is what i get if i dig it
Code: |
dig @localhost dpaste.com
; <<>> DiG 9.16.22 <<>> @localhost dpaste.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9351
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 4d843ce6d3b1543185add (good)
;; QUESTION SECTION:
;dpaste.com. IN A
;; ANSWER SECTION:
dpaste.com. 383 IN CNAME webapp-837091.pythonanywhere.com.
webapp-837091.pythonanywhere.com. 277 IN A 35.173.69.207
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Dec 11 18:56:35 EET 2021
;; MSG SIZE rcvd: 129
|
Does it seem helpful to you?
I see it is an alias of webapp-837091.pythonanywhere.com
Mine also a Bind server. _________________
|
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9645 Location: almost Mile High in the USA
|
Posted: Sat Dec 11, 2021 5:20 pm Post subject: |
|
|
Only thing weird is I set up my bind server forwarders to my ISP instead of to the root servers, but my ISP seems to resolve fine too... This is very strange that only dpaste.com does not work as far as I can tell... I see other CNAME records work just fine too...just not dpaste.com.
DiGging dpaste.com reports a very similar result except I get no ANSWER section... Weird. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21489
|
Posted: Sat Dec 11, 2021 5:26 pm Post subject: |
|
|
As I understand your most recent post, the missing ANSWER is when you dig @caching-server. What if you dig @isp-server, so that you get every step of the chain except the local caching server?
My results for dpaste match what alamahant showed. |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3875
|
Posted: Sat Dec 11, 2021 5:27 pm Post subject: |
|
|
If you'd changed your forwarder?
I use 1.1.1.1
Maybe dnssec-validation would have anything to do with the problem?
Just an ignorant hunch. _________________
|
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9645 Location: almost Mile High in the USA
|
Posted: Sat Dec 11, 2021 6:55 pm Post subject: |
|
|
Yes it's a problem solely with the caching server, but understanding the situation would help out figuring out what's wrong with the caching server...
It could be dnssec issues, but wondering why specifically dpaste.com, perhaps dpaste's dns server requires dnssec else it won't give a response?
---
Packet sniffing : Too lazy to shark it, just used tcpdump.
It looks like it got the CNAME (and an A) record fine but it gets into a transaction which I'm not quite familiar with, and it does look like it may very well be a failed DNSSEC transaction ... to the upstream (non authoritative) DNS. Need to figure out how this should work...and then be able to get a fix... Perhaps my cache was trying to validate the CNAME and A records it got and wasn't able to verify, so it threw it out... ahh!
I just don't know why I can look up citibank.com and other banks which I would hope have similar protection against dns hijacking. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
|