DNSviz kaputt gespielt
Wieder mal beschwerte sich einer der Resolver hier über eine sehr schlecht zu beantwortende Anfrage. Normalerweise werfe ich das nach DNSviz und bekomme eine admintaugliche Erklärung mit buntem Bild. Aber diesmal brach diese Diagnoseseite zusammen.
Anfrage
PTR IN 29.193.48.27.in-addr.arpa. 75.746150 iterator wait for 113.19.72.5
Das sieht harmlos aus, ist es aber nicht, denn die Diagnose mit DNSviz liefert nur ein einziges Ergebnis.
Gateway Timeout The gateway did not receive a timely response from the upstream server or application. __________________________________________________ Apache/2.4 Server at dnsviz.net Port 80
Das ist schon mächtig seltsam.
Diagnose
Der erste Schritt ist es, einen DNS Trace von der Wurzel an zu beginnen.
Das ergibt:
$ dig +trace -x 27.48.193.29 . 2673 IN NS k.root-servers.net. . 2673 IN NS e.root-servers.net. . 2673 IN NS j.root-servers.net. . 2673 IN NS d.root-servers.net. . 2673 IN NS l.root-servers.net. . 2673 IN NS a.root-servers.net. . 2673 IN NS f.root-servers.net. . 2673 IN NS g.root-servers.net. . 2673 IN NS b.root-servers.net. . 2673 IN NS m.root-servers.net. . 2673 IN NS i.root-servers.net. . 2673 IN NS c.root-servers.net. . 2673 IN NS h.root-servers.net. ;; Received 492 bytes from 2001:4bd8:0:104:217:17:192:66#53(2001:4bd8:0:104:217:17:192:66) in 1 ms in-addr.arpa. 172800 IN NS d.in-addr-servers.arpa. in-addr.arpa. 172800 IN NS b.in-addr-servers.arpa. in-addr.arpa. 172800 IN NS f.in-addr-servers.arpa. in-addr.arpa. 172800 IN NS c.in-addr-servers.arpa. in-addr.arpa. 172800 IN NS a.in-addr-servers.arpa. in-addr.arpa. 172800 IN NS e.in-addr-servers.arpa. ;; Received 419 bytes from 2001:dc3::35#53(m.root-servers.net) in 76 ms 27.in-addr.arpa. 86400 IN NS ns1.apnic.net. 27.in-addr.arpa. 86400 IN NS ns2.lacnic.net. 27.in-addr.arpa. 86400 IN NS ns3.apnic.net. 27.in-addr.arpa. 86400 IN NS ns4.apnic.net. 27.in-addr.arpa. 86400 IN NS apnic.authdns.ripe.net. 27.in-addr.arpa. 86400 IN NS apnic1.dnsnode.net. 27.in-addr.arpa. 86400 IN NS tinnie.arin.net. ;; Received 225 bytes from 2001:67c:e0::1#53(f.in-addr-servers.arpa) in 75 ms 48.27.in-addr.arpa. 86400 IN NS ns1.ortel.net. 48.27.in-addr.arpa. 86400 IN NS ns4.ortel.net. 48.27.in-addr.arpa. 86400 IN NS ns6.ortel.net. 48.27.in-addr.arpa. 86400 IN NS ns3.ortel.net. 48.27.in-addr.arpa. 86400 IN NS ns9.ortel.net. 48.27.in-addr.arpa. 86400 IN NS ns2.ortelcom.com. 48.27.in-addr.arpa. 86400 IN NS ns2.ortel.net. 48.27.in-addr.arpa. 86400 IN NS ns8.ortel.net. 48.27.in-addr.arpa. 86400 IN NS ns1.skycable.net. 48.27.in-addr.arpa. 86400 IN NS ns7.ortel.net. 48.27.in-addr.arpa. 86400 IN NS ns5.ortel.net. ;; Received 271 bytes from 2001:13c7:7002:3000::11#53(ns2.lacnic.net) in 284 ms . 3600 IN NS a.root-servers.net. . 3600 IN NS m.root-servers.net. . 3600 IN NS l.root-servers.net. . 3600 IN NS k.root-servers.net. . 3600 IN NS j.root-servers.net. . 3600 IN NS i.root-servers.net. . 3600 IN NS h.root-servers.net. . 3600 IN NS g.root-servers.net. . 3600 IN NS f.root-servers.net. . 3600 IN NS e.root-servers.net. . 3600 IN NS d.root-servers.net. . 3600 IN NS c.root-servers.net. . 3600 IN NS b.root-servers.net. ;; BAD REFERRAL ;; Received 506 bytes from 2404:c00:6:1:68bb:fc71:3252:c744#53(ns1.skycable.net) in 225 ms
Wie bitte? Das Ziel der Delegation kennt den Zone nicht? Nunja, das ist doch nicht so ungewöhnlich.
48.27.in-addr.arpa. 86390 IN NS ns2.ortelcom.com. 48.27.in-addr.arpa. 86390 IN NS ns2.ortel.net. 48.27.in-addr.arpa. 86390 IN NS ns8.ortel.net. 48.27.in-addr.arpa. 86390 IN NS ns6.ortel.net. 48.27.in-addr.arpa. 86390 IN NS ns5.ortel.net. 48.27.in-addr.arpa. 86390 IN NS ns4.ortel.net. 48.27.in-addr.arpa. 86390 IN NS ns7.ortel.net. 48.27.in-addr.arpa. 86390 IN NS ns3.ortel.net. 48.27.in-addr.arpa. 86390 IN NS ns9.ortel.net. 48.27.in-addr.arpa. 86390 IN NS ns1.ortel.net. 48.27.in-addr.arpa. 86390 IN NS ns1.skycable.net. ;; BAD (HORIZONTAL) REFERRAL ;; Received 415 bytes from 202.62.224.5#53(ns1.ortel.net) in 333 ms
Dieser Nameserver ist allerdings schon heftiger drauf. Denn er antwortet mit einer rekursiven Auflösung.
Ist er denn ein rekursiver Resolver, ein offnener noch dazu?
$ dig @202.62.224.5 lutz.donnerhacke.de AAAA +dnssec ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13997 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;lutz.donnerhacke.de. IN AAAA ;; ANSWER SECTION: lutz.donnerhacke.de. 57599 IN CNAME pro.donnerhacke.de. pro.donnerhacke.de. 57599 IN AAAA 2001:4bd8:1:1:209:6bff:fe49:79ea ;; Query time: 608 msec ;; SERVER: 202.62.224.5#53(202.62.224.5) ;; WHEN: Tue Feb 21 18:14:43 2017 ;; MSG SIZE rcvd: 94
Ja, ein offener Resolver. Im rekursiven Modus.
Eine ungesicherte Handgranate im Internet. Mit remote Auslöser. Ideal für Amplification Angriffe.
Wie schaut's denn bei den anderen erwähnten Servern aus?
$ dig ns -x 27.48.193.29 +norec @apnic1.dnsnode.net |
while read a b c d e; do
[ "$d" = "NS" ] || continue
dig @$e -x 27.48.193.29 +norec
done
;; QUESTION SECTION:
;29.193.48.27.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
. 3600 IN NS f.root-servers.net.
. 3600 IN NS e.root-servers.net.
. 3600 IN NS d.root-servers.net.
. 3600 IN NS c.root-servers.net.
. 3600 IN NS b.root-servers.net.
. 3600 IN NS a.root-servers.net.
. 3600 IN NS m.root-servers.net.
. 3600 IN NS l.root-servers.net.
. 3600 IN NS k.root-servers.net.
. 3600 IN NS j.root-servers.net.
. 3600 IN NS i.root-servers.net.
. 3600 IN NS h.root-servers.net.
. 3600 IN NS g.root-servers.net.
;; ADDITIONAL SECTION:
f.root-servers.net. 3600 IN A 192.5.5.241
e.root-servers.net. 3600 IN A 192.203.230.10
d.root-servers.net. 3600 IN A 128.8.10.90
;; Query time: 206 msec
;; SERVER: 113.19.0.5#53(113.19.0.5)
;; WHEN: Tue Feb 21 18:16:47 2017
;; MSG SIZE rcvd: 506
dig: couldn't get address for 'ns7.ortel.net.': not found
; <<>> DiG <<>> @ns6.ortel.net. -x 27.48.193.29 +norec
; (1 server found)
;; connection timed out; no servers could be reached
;; QUESTION SECTION:
;29.193.48.27.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
48.27.in-addr.arpa. 86391 IN NS ns1.skycable.net.
48.27.in-addr.arpa. 86391 IN NS ns7.ortel.net.
48.27.in-addr.arpa. 86391 IN NS ns3.ortel.net.
48.27.in-addr.arpa. 86391 IN NS ns4.ortel.net.
48.27.in-addr.arpa. 86391 IN NS ns9.ortel.net.
48.27.in-addr.arpa. 86391 IN NS ns8.ortel.net.
48.27.in-addr.arpa. 86391 IN NS ns6.ortel.net.
48.27.in-addr.arpa. 86391 IN NS ns2.ortel.net.
48.27.in-addr.arpa. 86391 IN NS ns5.ortel.net.
48.27.in-addr.arpa. 86391 IN NS ns2.ortelcom.com.
48.27.in-addr.arpa. 86391 IN NS ns1.ortel.net.
;; ADDITIONAL SECTION:
ns1.skycable.net. 3600 IN A 113.19.0.5
ns2.ortelcom.com. 3600 IN A 202.62.224.2
ns1.ortel.net. 3600 IN A 202.62.224.5
;; Query time: 187 msec
;; SERVER: 202.62.224.2#53(202.62.224.2)
;; WHEN: Tue Feb 21 18:17:03 2017
;; MSG SIZE rcvd: 319
;; QUESTION SECTION:
;29.193.48.27.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
48.27.in-addr.arpa. 86390 IN NS ns9.ortel.net.
48.27.in-addr.arpa. 86390 IN NS ns1.skycable.net.
48.27.in-addr.arpa. 86390 IN NS ns4.ortel.net.
48.27.in-addr.arpa. 86390 IN NS ns5.ortel.net.
48.27.in-addr.arpa. 86390 IN NS ns2.ortel.net.
48.27.in-addr.arpa. 86390 IN NS ns2.ortelcom.com.
48.27.in-addr.arpa. 86390 IN NS ns1.ortel.net.
48.27.in-addr.arpa. 86390 IN NS ns6.ortel.net.
48.27.in-addr.arpa. 86390 IN NS ns3.ortel.net.
48.27.in-addr.arpa. 86390 IN NS ns8.ortel.net.
48.27.in-addr.arpa. 86390 IN NS ns7.ortel.net.
;; ADDITIONAL SECTION:
ns9.ortel.net. 3600 IN A 113.19.72.5
ns1.skycable.net. 3600 IN A 113.19.0.5
ns4.ortel.net. 3600 IN A 27.49.0.5
ns2.ortel.net. 3600 IN A 27.48.138.2
ns2.ortelcom.com. 3600 IN A 202.62.224.2
ns1.ortel.net. 1200 IN A 202.62.224.5
ns6.ortel.net. 3600 IN A 27.49.96.2
ns3.ortel.net. 3600 IN A 27.49.39.5
ns7.ortel.net. 3600 IN A 27.49.64.2
;; Query time: 209 msec
;; SERVER: 202.62.224.5#53(202.62.224.5)
;; WHEN: Tue Feb 21 18:17:04 2017
;; MSG SIZE rcvd: 415
dig: couldn't get address for 'ns8.ortel.net.': not found
dig: couldn't get address for 'ns4.ortel.net.': not found
;; QUESTION SECTION:
;29.193.48.27.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
48.27.in-addr.arpa. 86374 IN NS ns3.ortel.net.
48.27.in-addr.arpa. 86374 IN NS ns4.ortel.net.
48.27.in-addr.arpa. 86374 IN NS ns2.ortelcom.com.
48.27.in-addr.arpa. 86374 IN NS ns1.ortel.net.
48.27.in-addr.arpa. 86374 IN NS ns7.ortel.net.
48.27.in-addr.arpa. 86374 IN NS ns9.ortel.net.
48.27.in-addr.arpa. 86374 IN NS ns6.ortel.net.
48.27.in-addr.arpa. 86374 IN NS ns2.ortel.net.
48.27.in-addr.arpa. 86374 IN NS ns1.skycable.net.
48.27.in-addr.arpa. 86374 IN NS ns5.ortel.net.
48.27.in-addr.arpa. 86374 IN NS ns8.ortel.net.
;; ADDITIONAL SECTION:
ns3.ortel.net. 3600 IN A 27.49.39.5
ns2.ortelcom.com. 2281 IN A 202.62.224.2
ns1.skycable.net. 1069 IN A 113.19.0.5
;; Query time: 1632 msec
;; SERVER: 27.49.39.5#53(27.49.39.5)
;; WHEN: Tue Feb 21 18:17:22 2017
;; MSG SIZE rcvd: 319
; <<>> DiG <<>> @ns5.ortel.net. -x 27.48.193.29 +norec
; (1 server found)
;; connection timed out; no servers could be reachedWir haben also:
- Ein unzuständiger Server
- Drei Server, deren Namen nicht mal mehr existiert
- Drei Server, die nicht antworten
- Drei offene Relays
Respekt
1 Kommentare