I got rather strange error messages from two servers this evening, one at 18:00:21 EST, and another one at 18:34:01 EST. One server lives in Brussels, the other in Boston. On both servers a (totally different) script executed via cron complained it could not resolve a hostname. Both hostnames exist, and both are in .org domains (in different domains).
Both machines run dnscache locally for resolving. Sadly, the logs had already rotated on the first server, but the other one still had the relevant entry. This is what I found:
2009-01-20 18:34:01.729172500 query #1221279 127.0.0.1:45933 (id 50134) a REDACTED.iofc.org. 2009-01-20 18:34:01.729221500 cached ns org. b2.org.afilias-nst.org. 2009-01-20 18:34:01.729223500 cached ns org. a2.org.afilias-nst.info. 2009-01-20 18:34:01.729225500 cached ns org. b0.org.afilias-nst.org. 2009-01-20 18:34:01.729277500 cached ns org. d0.org.afilias-nst.org. 2009-01-20 18:34:01.729279500 cached ns org. c0.org.afilias-nst.info. 2009-01-20 18:34:01.731611500 cached ns org. a0.org.afilias-nst.info. 2009-01-20 18:34:01.731654500 cached a b2.org.afilias-nst.org. 2009-01-20 18:34:01.731657500 cached a a2.org.afilias-nst.info. 2009-01-20 18:34:01.731674500 cached a b0.org.afilias-nst.org. 2009-01-20 18:34:01.731676500 cached a d0.org.afilias-nst.org. 2009-01-20 18:34:01.731678500 cached a c0.org.afilias-nst.info. 2009-01-20 18:34:01.731694500 cached a a0.org.afilias-nst.info. 2009-01-20 18:34:01.731696500 tx g=0 a REDACTED.iofc.org. org. 199.19.53.1 199.249.112.1 199.249.120.1 199.19.57.1 199.19.54.1 199.19.56.1 2009-01-20 18:34:01.814058500 nxdomain 199.19.53.1 TTL=0 REDACTED.iofc.org.
What happens here is that the Afilias (the organization that runs the .org registry) nameserver at 199.19.53.1 returned NXDOMAIN (no such domain) when asked about the host REDACTED.iofc.org, rather than returning the nameservers that are authoritative for the iofc.org domain.
A bit later, things were fine again when another Afilias nameserver replied properly:
2009-01-20 19:04:01.715579500 query #1221422 127.0.0.1:45936 (id 46625) a prometheus.iofc.org. 2009-01-20 19:04:01.715627500 cached ns org. b2.org.afilias-nst.org. 2009-01-20 19:04:01.715629500 cached ns org. a2.org.afilias-nst.info. 2009-01-20 19:04:01.715631500 cached ns org. b0.org.afilias-nst.org. 2009-01-20 19:04:01.715634500 cached ns org. d0.org.afilias-nst.org. 2009-01-20 19:04:01.715635500 cached ns org. c0.org.afilias-nst.info. 2009-01-20 19:04:01.715637500 cached ns org. a0.org.afilias-nst.info. 2009-01-20 19:04:01.715639500 cached a b2.org.afilias-nst.org. 2009-01-20 19:04:01.715641500 cached a a2.org.afilias-nst.info. 2009-01-20 19:04:01.715660500 cached a b0.org.afilias-nst.org. 2009-01-20 19:04:01.715662500 cached a d0.org.afilias-nst.org. 2009-01-20 19:04:01.715664500 cached a c0.org.afilias-nst.info. 2009-01-20 19:04:01.715666500 cached a a0.org.afilias-nst.info. 2009-01-20 19:04:01.715683500 tx g=0 a REDACTED.iofc.org. org. 199.19.54.1 199.249.112.1 199.19.56.1 199.19.53.1 199.19.57.1 199.249.120.1 2009-01-20 19:04:01.754217500 rr 199.19.54.1 TTL=172800 a ns1.iofc.org. 62.49.196.44 2009-01-20 19:04:01.754224500 rr 199.19.54.1 TTL=86400 a ns4.iofc.org. 208.94.48.44 2009-01-20 19:04:01.754266500 rr 199.19.54.1 TTL=86400 ns iofc.org. ns1.iofc.org. 2009-01-20 19:04:01.754269500 rr 199.19.54.1 TTL=86400 ns iofc.org. ns4.iofc.org. 2009-01-20 19:04:01.754271500 stats count=1221422 motion=98951375 udp-active=1 tcp-active=0 2009-01-20 19:04:01.754273500 cached a ns1.iofc.org. 2009-01-20 19:04:01.754274500 cached a ns4.iofc.org. ...
This kind of thing is not supposed to happen. What’s going on, Afilias?
Update: This sans.org report might be related. And there were a few threads on the nanog mailing list about a DDOS amplification attack using DNS servers.
Pingback: Everything is a Freaking DNS problem