DNS Reverse Delegation Does Not Work For The BIC

  • Lets start at some root nameserver using non-recursive queries until we get something authoritative.
  • 132.206.178.241 is the IP of our outgoing SMTP server, kurma.bic.mni.mcgill.ca
~$ dig +norec @a.in-addr-servers.arpa. -x 132.206.178.241 PTR

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @a.in-addr-servers.arpa. -x 132.206.178.241 PTR
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42223
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 0

;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa.  IN      PTR

;; AUTHORITY SECTION:
132.in-addr.arpa.       86400   IN      NS      z.arin.net.
132.in-addr.arpa.       86400   IN      NS      x.arin.net.
132.in-addr.arpa.       86400   IN      NS      u.arin.net.
132.in-addr.arpa.       86400   IN      NS      y.arin.net.
132.in-addr.arpa.       86400   IN      NS      r.arin.net.
132.in-addr.arpa.       86400   IN      NS      arin.authdns.ripe.net.

;; Query time: 16 msec
;; SERVER: 199.212.0.73#53(199.212.0.73)
;; WHEN: Fri Jun 10 15:16:52 2016
;; MSG SIZE  rcvd: 166

~$ dig +norec @b.in-addr-servers.arpa. -x 132.206.178.241 PTR

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @b.in-addr-servers.arpa. -x 132.206.178.241 PTR
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63707
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 0

;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa.  IN      PTR

;; AUTHORITY SECTION:
132.in-addr.arpa.       86400   IN      NS      r.arin.net.
132.in-addr.arpa.       86400   IN      NS      u.arin.net.
132.in-addr.arpa.       86400   IN      NS      x.arin.net.
132.in-addr.arpa.       86400   IN      NS      y.arin.net.
132.in-addr.arpa.       86400   IN      NS      z.arin.net.
132.in-addr.arpa.       86400   IN      NS      arin.authdns.ripe.net.

;; Query time: 103 msec
;; SERVER: 199.253.183.183#53(199.253.183.183)
;; WHEN: Fri Jun 10 15:17:48 2016
;; MSG SIZE  rcvd: 166
  • …etc…until with try arin.authdns.ripe.net.
~$ dig +norec @arin.authdns.ripe.net. -x 132.206.178.241 PTR

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @arin.authdns.ripe.net. -x 132.206.178.241 PTR
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43260
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 0

;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa.  IN      PTR

;; AUTHORITY SECTION:
206.132.in-addr.arpa.   86400   IN      NS      ns2.mcgill.ca.
206.132.in-addr.arpa.   86400   IN      NS      ns4.mcgill.ca.
206.132.in-addr.arpa.   86400   IN      NS      kona.cc.mcgill.ca.
206.132.in-addr.arpa.   86400   IN      NS      moka.cc.mcgill.ca.
206.132.in-addr.arpa.   86400   IN      NS      pens1.mcgill.ca.
206.132.in-addr.arpa.   86400   IN      NS      pens2.mcgill.ca.

;; Query time: 83 msec
;; SERVER: 193.0.9.10#53(193.0.9.10)
;; WHEN: Fri Jun 10 15:18:47 2016
;; MSG SIZE  rcvd: 172
  • WTF! ~the ‘old’ dns servers ns2.mcgill.ca. ns4.mcgill.ca. kona.cc.mcgill.ca. moka.cc.mcgill.ca are still there?!?
~$ dig +norec @ns2.mcgill.ca. -x 132.206.178.241 PTR

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @ns2.mcgill.ca. -x 132.206.178.241 PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16645
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa.  IN      PTR

;; Query time: 0 msec
;; SERVER: 132.206.44.22#53(132.206.44.22)
;; WHEN: Fri Jun 10 15:19:05 2016
;; MSG SIZE  rcvd: 46
  • OK, nothing. ns4 doesn’t respond…it’s probably down…
~$ dig +norec @ns4.mcgill.ca. -x 132.206.178.241 PTR

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @ns4.mcgill.ca. -x 132.206.178.241 PTR
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
  • Now look at what happens here…
  • Freekin kona and moka still Ń•how the delegation!
~$ dig +norec @kona.cc.mcgill.ca. -x 132.206.178.241 PTR

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @kona.cc.mcgill.ca. -x 132.206.178.241 PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39598
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa.  IN      PTR

;; AUTHORITY SECTION:
178.206.132.in-addr.arpa. 3600  IN      NS      shadow.bic.mni.mcgill.ca.

;; ADDITIONAL SECTION:
shadow.bic.mni.mcgill.ca. 74575 IN      A       132.206.178.7

;; Query time: 1 msec
;; SERVER: 132.206.44.21#53(132.206.44.21)
;; WHEN: Fri Jun 10 15:20:23 2016
;; MSG SIZE  rcvd: 100

~$ dig +norec @moka.cc.mcgill.ca. -x 132.206.178.241 PTR

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @moka.cc.mcgill.ca. -x 132.206.178.241 PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15463
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa.  IN      PTR

;; AUTHORITY SECTION:
178.206.132.in-addr.arpa. 3600  IN      NS      shadow.bic.mni.mcgill.ca.

;; ADDITIONAL SECTION:
shadow.bic.mni.MCGILL.CA. 74712 IN      A       132.206.178.7

;; Query time: 1 msec
;; SERVER: 132.216.44.21#53(132.216.44.21)
;; WHEN: Fri Jun 10 15:21:00 2016
;; MSG SIZE  rcvd: 124
  • …but not the ‘new’ ones, pens1 and pens2…
~$ dig +norec @pens1.mcgill.ca. -x 132.206.178.241 PTR

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @pens1.mcgill.ca. -x 132.206.178.241 PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64617
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa.  IN      PTR

;; Query time: 1 msec
;; SERVER: 132.206.44.69#53(132.206.44.69)
;; WHEN: Fri Jun 10 15:21:27 2016
;; MSG SIZE  rcvd: 46

~$ dig +norec @pens2.mcgill.ca. -x 132.206.178.241 PTR

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @pens2.mcgill.ca. -x 132.206.178.241 PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58816
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa.  IN      PTR

;; Query time: 0 msec
;; SERVER: 132.206.44.70#53(132.206.44.70)
;; WHEN: Fri Jun 10 15:21:32 2016
;; MSG SIZE  rcvd: 46
  • Note that reverse addresses delegation works for physics.mcgill.ca…
  • The flag ‘qr aa’ means that this is a AA (Authoritative Answer) not a referal.
~$ dig +norec @pens2.mcgill.ca. -x 132.206.9.48 PTR

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @pens2.mcgill.ca. -x 132.206.9.48 PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53733
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;48.9.206.132.in-addr.arpa.     IN      PTR

;; AUTHORITY SECTION:
9.206.132.in-addr.arpa. 14400   IN      SOA     cmp-gw.physics.mcgill.ca. root.physics.mcgill.ca. 116060801 3600 1800 3600000 14400

;; Query time: 2 msec
;; SERVER: 132.206.44.70#53(132.206.44.70)
;; WHEN: Fri Jun 10 15:22:20 2016
;; MSG SIZE  rcvd: 108
  • SOA records for the reverse zones for 9.206.132.IN-ADDR.ARPA and 178.206.132.IN-ADDR.ARPA
  • Note the lack of the flag qr aa for 178.206.132.IN-ADDR.ARPA: NOT AUTHORITATIVE.
~$ dig @pens1.mcgill.ca 9.206.132.IN-ADDR.ARPA soa

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @pens1.mcgill.ca 9.206.132.IN-ADDR.ARPA soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24133
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;9.206.132.IN-ADDR.ARPA.                IN      SOA

;; ANSWER SECTION:
9.206.132.in-addr.arpa. 14400   IN      SOA     cmp-gw.physics.mcgill.ca. root.physics.mcgill.ca. 116060801 3600 1800 3600000 14400

;; AUTHORITY SECTION:
9.206.132.in-addr.arpa. 14400   IN      NS      cmp-gw.physics.mcgill.ca.
9.206.132.in-addr.arpa. 14400   IN      NS      pens2.mcgill.ca.
9.206.132.in-addr.arpa. 14400   IN      NS      pens1.mcgill.ca.

;; ADDITIONAL SECTION:
pens1.mcgill.ca.        3600    IN      A       132.206.44.69
pens2.mcgill.ca.        3600    IN      A       132.206.44.70
cmp-gw.physics.mcgill.ca. 14400 IN      A       132.206.6.18

;; Query time: 0 msec
;; SERVER: 132.206.44.69#53(132.206.44.69)
;; WHEN: Fri Jun 10 16:52:21 2016
;; MSG SIZE  rcvd: 229

~$ dig @pens1.mcgill.ca 178.206.132.IN-ADDR.ARPA soa

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @pens1.mcgill.ca 178.206.132.IN-ADDR.ARPA soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24553
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;178.206.132.IN-ADDR.ARPA.      IN      SOA

;; Query time: 1 msec
;; SERVER: 132.206.44.69#53(132.206.44.69)
;; WHEN: Fri Jun 10 16:52:27 2016
;; MSG SIZE  rcvd: 42

~$ dig @pens2.mcgill.ca 9.206.132.IN-ADDR.ARPA soa

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @pens2.mcgill.ca 9.206.132.IN-ADDR.ARPA soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14629
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;9.206.132.IN-ADDR.ARPA.                IN      SOA

;; ANSWER SECTION:
9.206.132.in-addr.arpa. 14400   IN      SOA     cmp-gw.physics.mcgill.ca. root.physics.mcgill.ca. 116060801 3600 1800 3600000 14400

;; AUTHORITY SECTION:
9.206.132.in-addr.arpa. 14400   IN      NS      cmp-gw.physics.mcgill.ca.
9.206.132.in-addr.arpa. 14400   IN      NS      pens1.mcgill.ca.
9.206.132.in-addr.arpa. 14400   IN      NS      pens2.mcgill.ca.

;; ADDITIONAL SECTION:
pens1.mcgill.ca.        3600    IN      A       132.206.44.69
pens2.mcgill.ca.        3600    IN      A       132.206.44.70
cmp-gw.physics.mcgill.ca. 14400 IN      A       132.206.6.18

;; Query time: 0 msec
;; SERVER: 132.206.44.70#53(132.206.44.70)
;; WHEN: Fri Jun 10 16:52:33 2016
;; MSG SIZE  rcvd: 229

~$ dig @pens2.mcgill.ca 178.206.132.IN-ADDR.ARPA soa

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @pens2.mcgill.ca 178.206.132.IN-ADDR.ARPA soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23822
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;178.206.132.IN-ADDR.ARPA.      IN      SOA

;; Query time: 0 msec
;; SERVER: 132.206.44.70#53(132.206.44.70)
;; WHEN: Fri Jun 10 16:52:39 2016
;; MSG SIZE  rcvd: 42