DNS Reverse Delegation Does Not Work For The BIC
- Lets start at some root nameserver using non-recursive queries until we get something authoritative.
- 132.206.178.241 is the IP of our outgoing SMTP server, kurma.bic.mni.mcgill.ca
~$ dig +norec @a.in-addr-servers.arpa. -x 132.206.178.241 PTR
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @a.in-addr-servers.arpa. -x 132.206.178.241 PTR
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42223
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 0
;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
132.in-addr.arpa. 86400 IN NS z.arin.net.
132.in-addr.arpa. 86400 IN NS x.arin.net.
132.in-addr.arpa. 86400 IN NS u.arin.net.
132.in-addr.arpa. 86400 IN NS y.arin.net.
132.in-addr.arpa. 86400 IN NS r.arin.net.
132.in-addr.arpa. 86400 IN NS arin.authdns.ripe.net.
;; Query time: 16 msec
;; SERVER: 199.212.0.73#53(199.212.0.73)
;; WHEN: Fri Jun 10 15:16:52 2016
;; MSG SIZE rcvd: 166
~$ dig +norec @b.in-addr-servers.arpa. -x 132.206.178.241 PTR
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @b.in-addr-servers.arpa. -x 132.206.178.241 PTR
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63707
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 0
;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
132.in-addr.arpa. 86400 IN NS r.arin.net.
132.in-addr.arpa. 86400 IN NS u.arin.net.
132.in-addr.arpa. 86400 IN NS x.arin.net.
132.in-addr.arpa. 86400 IN NS y.arin.net.
132.in-addr.arpa. 86400 IN NS z.arin.net.
132.in-addr.arpa. 86400 IN NS arin.authdns.ripe.net.
;; Query time: 103 msec
;; SERVER: 199.253.183.183#53(199.253.183.183)
;; WHEN: Fri Jun 10 15:17:48 2016
;; MSG SIZE rcvd: 166
- …etc…until with try arin.authdns.ripe.net.
~$ dig +norec @arin.authdns.ripe.net. -x 132.206.178.241 PTR
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @arin.authdns.ripe.net. -x 132.206.178.241 PTR
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43260
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 0
;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
206.132.in-addr.arpa. 86400 IN NS ns2.mcgill.ca.
206.132.in-addr.arpa. 86400 IN NS ns4.mcgill.ca.
206.132.in-addr.arpa. 86400 IN NS kona.cc.mcgill.ca.
206.132.in-addr.arpa. 86400 IN NS moka.cc.mcgill.ca.
206.132.in-addr.arpa. 86400 IN NS pens1.mcgill.ca.
206.132.in-addr.arpa. 86400 IN NS pens2.mcgill.ca.
;; Query time: 83 msec
;; SERVER: 193.0.9.10#53(193.0.9.10)
;; WHEN: Fri Jun 10 15:18:47 2016
;; MSG SIZE rcvd: 172
- WTF! ~the ‘old’ dns servers ns2.mcgill.ca. ns4.mcgill.ca. kona.cc.mcgill.ca. moka.cc.mcgill.ca are still there?!?
~$ dig +norec @ns2.mcgill.ca. -x 132.206.178.241 PTR
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @ns2.mcgill.ca. -x 132.206.178.241 PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16645
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa. IN PTR
;; Query time: 0 msec
;; SERVER: 132.206.44.22#53(132.206.44.22)
;; WHEN: Fri Jun 10 15:19:05 2016
;; MSG SIZE rcvd: 46
- OK, nothing. ns4 doesn’t respond…it’s probably down…
~$ dig +norec @ns4.mcgill.ca. -x 132.206.178.241 PTR
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @ns4.mcgill.ca. -x 132.206.178.241 PTR
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
- Now look at what happens here…
- Freekin kona and moka still ѕhow the delegation!
~$ dig +norec @kona.cc.mcgill.ca. -x 132.206.178.241 PTR
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @kona.cc.mcgill.ca. -x 132.206.178.241 PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39598
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
178.206.132.in-addr.arpa. 3600 IN NS shadow.bic.mni.mcgill.ca.
;; ADDITIONAL SECTION:
shadow.bic.mni.mcgill.ca. 74575 IN A 132.206.178.7
;; Query time: 1 msec
;; SERVER: 132.206.44.21#53(132.206.44.21)
;; WHEN: Fri Jun 10 15:20:23 2016
;; MSG SIZE rcvd: 100
~$ dig +norec @moka.cc.mcgill.ca. -x 132.206.178.241 PTR
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @moka.cc.mcgill.ca. -x 132.206.178.241 PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15463
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
178.206.132.in-addr.arpa. 3600 IN NS shadow.bic.mni.mcgill.ca.
;; ADDITIONAL SECTION:
shadow.bic.mni.MCGILL.CA. 74712 IN A 132.206.178.7
;; Query time: 1 msec
;; SERVER: 132.216.44.21#53(132.216.44.21)
;; WHEN: Fri Jun 10 15:21:00 2016
;; MSG SIZE rcvd: 124
- …but not the ‘new’ ones, pens1 and pens2…
~$ dig +norec @pens1.mcgill.ca. -x 132.206.178.241 PTR
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @pens1.mcgill.ca. -x 132.206.178.241 PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64617
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa. IN PTR
;; Query time: 1 msec
;; SERVER: 132.206.44.69#53(132.206.44.69)
;; WHEN: Fri Jun 10 15:21:27 2016
;; MSG SIZE rcvd: 46
~$ dig +norec @pens2.mcgill.ca. -x 132.206.178.241 PTR
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @pens2.mcgill.ca. -x 132.206.178.241 PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58816
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;241.178.206.132.in-addr.arpa. IN PTR
;; Query time: 0 msec
;; SERVER: 132.206.44.70#53(132.206.44.70)
;; WHEN: Fri Jun 10 15:21:32 2016
;; MSG SIZE rcvd: 46
- Note that reverse addresses delegation works for physics.mcgill.ca…
- The flag ‘qr aa’ means that this is a AA (Authoritative Answer) not a referal.
~$ dig +norec @pens2.mcgill.ca. -x 132.206.9.48 PTR
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +norec @pens2.mcgill.ca. -x 132.206.9.48 PTR
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53733
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;48.9.206.132.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
9.206.132.in-addr.arpa. 14400 IN SOA cmp-gw.physics.mcgill.ca. root.physics.mcgill.ca. 116060801 3600 1800 3600000 14400
;; Query time: 2 msec
;; SERVER: 132.206.44.70#53(132.206.44.70)
;; WHEN: Fri Jun 10 15:22:20 2016
;; MSG SIZE rcvd: 108
- SOA records for the reverse zones for
9.206.132.IN-ADDR.ARPA
and 178.206.132.IN-ADDR.ARPA
- Note the lack of the flag
qr aa
for 178.206.132.IN-ADDR.ARPA
: NOT AUTHORITATIVE.
~$ dig @pens1.mcgill.ca 9.206.132.IN-ADDR.ARPA soa
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @pens1.mcgill.ca 9.206.132.IN-ADDR.ARPA soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24133
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;9.206.132.IN-ADDR.ARPA. IN SOA
;; ANSWER SECTION:
9.206.132.in-addr.arpa. 14400 IN SOA cmp-gw.physics.mcgill.ca. root.physics.mcgill.ca. 116060801 3600 1800 3600000 14400
;; AUTHORITY SECTION:
9.206.132.in-addr.arpa. 14400 IN NS cmp-gw.physics.mcgill.ca.
9.206.132.in-addr.arpa. 14400 IN NS pens2.mcgill.ca.
9.206.132.in-addr.arpa. 14400 IN NS pens1.mcgill.ca.
;; ADDITIONAL SECTION:
pens1.mcgill.ca. 3600 IN A 132.206.44.69
pens2.mcgill.ca. 3600 IN A 132.206.44.70
cmp-gw.physics.mcgill.ca. 14400 IN A 132.206.6.18
;; Query time: 0 msec
;; SERVER: 132.206.44.69#53(132.206.44.69)
;; WHEN: Fri Jun 10 16:52:21 2016
;; MSG SIZE rcvd: 229
~$ dig @pens1.mcgill.ca 178.206.132.IN-ADDR.ARPA soa
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @pens1.mcgill.ca 178.206.132.IN-ADDR.ARPA soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24553
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;178.206.132.IN-ADDR.ARPA. IN SOA
;; Query time: 1 msec
;; SERVER: 132.206.44.69#53(132.206.44.69)
;; WHEN: Fri Jun 10 16:52:27 2016
;; MSG SIZE rcvd: 42
~$ dig @pens2.mcgill.ca 9.206.132.IN-ADDR.ARPA soa
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @pens2.mcgill.ca 9.206.132.IN-ADDR.ARPA soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14629
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;9.206.132.IN-ADDR.ARPA. IN SOA
;; ANSWER SECTION:
9.206.132.in-addr.arpa. 14400 IN SOA cmp-gw.physics.mcgill.ca. root.physics.mcgill.ca. 116060801 3600 1800 3600000 14400
;; AUTHORITY SECTION:
9.206.132.in-addr.arpa. 14400 IN NS cmp-gw.physics.mcgill.ca.
9.206.132.in-addr.arpa. 14400 IN NS pens1.mcgill.ca.
9.206.132.in-addr.arpa. 14400 IN NS pens2.mcgill.ca.
;; ADDITIONAL SECTION:
pens1.mcgill.ca. 3600 IN A 132.206.44.69
pens2.mcgill.ca. 3600 IN A 132.206.44.70
cmp-gw.physics.mcgill.ca. 14400 IN A 132.206.6.18
;; Query time: 0 msec
;; SERVER: 132.206.44.70#53(132.206.44.70)
;; WHEN: Fri Jun 10 16:52:33 2016
;; MSG SIZE rcvd: 229
~$ dig @pens2.mcgill.ca 178.206.132.IN-ADDR.ARPA soa
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @pens2.mcgill.ca 178.206.132.IN-ADDR.ARPA soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23822
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;178.206.132.IN-ADDR.ARPA. IN SOA
;; Query time: 0 msec
;; SERVER: 132.206.44.70#53(132.206.44.70)
;; WHEN: Fri Jun 10 16:52:39 2016
;; MSG SIZE rcvd: 42