Nonexistant domains resolve to my local domain

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Nonexistant domains resolve to my local domain

Hugo Osvaldo Barrera-2
Hi,

I've having this extremely wierd issue.
My hostname is elysion.barrera.io. When I try to ping, curl, or something
alike aDomainIReallySureDoeNotExist.com, it pings/curls/whatever
my local domain. Maybe an example can me clearer:

  # ping adsfsdgasdadsfasfsdfasdf.net
  PING elysion.barrera.io (174.136.104.18): 56 data bytes
  64 bytes from 174.136.104.18: icmp_seq=0 ttl=255 time=0.032 ms
  64 bytes from 174.136.104.18: icmp_seq=1 ttl=255 time=0.081 ms

dig, however, works fine:

  # dig adsfsdgasdadsfasfsdfasdf.net
  <snip>
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20200
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
   <snip>

I've tried changing nameserver to my ISP's, Google Public DNS, etc, the
issue is always persistant (besides, dig working makes me think it's a
local issue).

Note that ALL nonexistant domain resolve to myself, never anything
different.

Any hints on where I should be looking?

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Reply | Threaded
Open this post in threaded view
|

Re: Nonexistant domains resolve to my local domain

Giancarlo Razzolini-3
Em 10-04-2014 00:43, Hugo Osvaldo Barrera escreveu:

> Hi,
>
> I've having this extremely wierd issue.
> My hostname is elysion.barrera.io. When I try to ping, curl, or something
> alike aDomainIReallySureDoeNotExist.com, it pings/curls/whatever
> my local domain. Maybe an example can me clearer:
>
>   # ping adsfsdgasdadsfasfsdfasdf.net
>   PING elysion.barrera.io (174.136.104.18): 56 data bytes
>   64 bytes from 174.136.104.18: icmp_seq=0 ttl=255 time=0.032 ms
>   64 bytes from 174.136.104.18: icmp_seq=1 ttl=255 time=0.081 ms
>
> dig, however, works fine:
>
>   # dig adsfsdgasdadsfasfsdfasdf.net
>   <snip>
>   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20200
>   ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>    <snip>
>
> I've tried changing nameserver to my ISP's, Google Public DNS, etc, the
> issue is always persistant (besides, dig working makes me think it's a
> local issue).
>
> Note that ALL nonexistant domain resolve to myself, never anything
> different.
>
> Any hints on where I should be looking?
>
> --
> Hugo Osvaldo Barrera
>
> [demime 1.01d removed an attachment of type application/pgp-signature]
>
You need to elaborate on a lot of things. We could only guess on who is
to blame here (my money is on a misconfigured dns server either be a
transparent dns proxy at your isp or wrongly configured one in your
networl). Post your /etc/hosts, /etc/resolv.conf and dmesg for starters
this is the initial information required for helping solving your issue.

Cheers,

--
Giancarlo Razzolini
GPG: 4096R/77B981BC

Reply | Threaded
Open this post in threaded view
|

Re: Nonexistant domains resolve to my local domain

Hugo Osvaldo Barrera-2
On 2014-04-10 01:16, Giancarlo Razzolini wrote:

> Em 10-04-2014 00:43, Hugo Osvaldo Barrera escreveu:
> > Hi,
> >
> > I've having this extremely wierd issue.
> > My hostname is elysion.barrera.io. When I try to ping, curl, or something
> > alike aDomainIReallySureDoeNotExist.com, it pings/curls/whatever
> > my local domain. Maybe an example can me clearer:
> >
> >   # ping adsfsdgasdadsfasfsdfasdf.net
> >   PING elysion.barrera.io (174.136.104.18): 56 data bytes
> >   64 bytes from 174.136.104.18: icmp_seq=0 ttl=255 time=0.032 ms
> >   64 bytes from 174.136.104.18: icmp_seq=1 ttl=255 time=0.081 ms
> >
> > dig, however, works fine:
> >
> >   # dig adsfsdgasdadsfasfsdfasdf.net
> >   <snip>
> >   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20200
> >   ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> >    <snip>
> >
> > I've tried changing nameserver to my ISP's, Google Public DNS, etc, the
> > issue is always persistant (besides, dig working makes me think it's a
> > local issue).
> >
> > Note that ALL nonexistant domain resolve to myself, never anything
> > different.
> >
> > Any hints on where I should be looking?
> >
> > --
> > Hugo Osvaldo Barrera
> >
> > [demime 1.01d removed an attachment of type application/pgp-signature]
> >
> You need to elaborate on a lot of things. We could only guess on who is
> to blame here (my money is on a misconfigured dns server either be a
> transparent dns proxy at your isp or wrongly configured one in your
> networl). Post your /etc/hosts, /etc/resolv.conf and dmesg for starters
> this is the initial information required for helping solving your issue.
>
> Cheers,
>
> --
> Giancarlo Razzolini
> GPG: 4096R/77B981BC
>

As I mentioned before, I tried different nameservers including my ISPs
and Google's Public DNS (so a "misconfigured dns server" is extremely
unlikely).

I didn't mention any transparent proxies because there aren't any
either. Connection is straight to the public internet.

/etc/hosts:
::1            localhost
127.0.0.1      localhost
174.136.104.18 elysion.barrera.io

/etc/resolv.conf:
nameserver 208.79.88.7
nameserver 208.79.88.9

/etc/resolv.conf (another version):
nameserver 8.8.8.8

dmesg:
OpenBSD 5.5-current (GENERIC.MP) #59: Mon Apr  7 22:49:12 MDT 2014
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 788463616 (751MB)
avail mem = 758763520 (723MB)
warning: no entropy supplied by boot loader
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfbd3f (10 entries)
bios0: vendor QEMU version "QEMU" date 01/01/2007
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
acpiprt0 at acpi0: bus 0 (PCI0)
mpbios at bios0 not configured
cpu0 at mainbus0: (uniprocessor)
cpu0: QEMU Virtual CPU version 0.9.1, 2667.13 MHz
cpu0:
FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MM
X,FXSR,SSE,SSE2,SSE3,NXE,LONG,PERF
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <QEMU HARDDISK>
wd0: 16-sector PIO, LBA48, 20480MB, 41943040 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 0.9.> ATAPI 5/cdrom
removable
wd0(pciide0:0:0): using PIO mode 0, DMA mode 2
cd0(pciide0:0:1): using PIO mode 0
atapiscsi1 at pciide0 channel 1 drive 0
scsibus2 at atapiscsi1: 2 targets
cd1 at scsibus2 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 0.9.> ATAPI 5/cdrom
removable
cd1(pciide0:1:0): using PIO mode 0
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: irq 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: irq 10
iic0 at piixpm0
iic0: addr 0x18 48=00 words 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000
06=0000 07=0000
iic0: addr 0x1a 48=00 words 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000
06=0000 07=0000
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x03: irq 11, address
52:54:00:27:24:25
virtio0 at pci0 dev 4 function 0 "Qumranet Virtio Memory" rev 0x00: Virtio
Memory Balloon Device
viomb0 at virtio0
virtio0: irq 11
virtio1 at pci0 dev 5 function 0 "Qumranet Virtio Console" rev 0x00: Virtio
Console Device
virtio1: no matching child driver; not configured
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: probed fifo depth: 0 bytes
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: density unknown
fd1 at fdc0 drive 1: density unknown
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
nvram: invalid checksum
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on wd0a (2106e1a8ecd3a36f.a) swap on wd0b dump on wd0b
clock: unknown CMOS layout

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Reply | Threaded
Open this post in threaded view
|

Re: Nonexistant domains resolve to my local domain

Zé Loff-2
On 10-04-2014 05:51, Hugo Osvaldo Barrera wrote:

> On 2014-04-10 01:16, Giancarlo Razzolini wrote:
>> Em 10-04-2014 00:43, Hugo Osvaldo Barrera escreveu:
>>> Hi,
>>>
>>> I've having this extremely wierd issue.
>>> My hostname is elysion.barrera.io. When I try to ping, curl, or something
>>> alike aDomainIReallySureDoeNotExist.com, it pings/curls/whatever
>>> my local domain. Maybe an example can me clearer:
>>>
>>>    # ping adsfsdgasdadsfasfsdfasdf.net
>>>    PING elysion.barrera.io (174.136.104.18): 56 data bytes
>>>    64 bytes from 174.136.104.18: icmp_seq=0 ttl=255 time=0.032 ms
>>>    64 bytes from 174.136.104.18: icmp_seq=1 ttl=255 time=0.081 ms
>>>
>>> dig, however, works fine:
>>>
>>>    # dig adsfsdgasdadsfasfsdfasdf.net
>>>    <snip>
>>>    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20200
>>>    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>>     <snip>
>>>
>>> I've tried changing nameserver to my ISP's, Google Public DNS, etc, the
>>> issue is always persistant (besides, dig working makes me think it's a
>>> local issue).
>>>
>>> Note that ALL nonexistant domain resolve to myself, never anything
>>> different.
>>>
>>> Any hints on where I should be looking?
>>>
>>> --
>>> Hugo Osvaldo Barrera
>>>
>>> [demime 1.01d removed an attachment of type application/pgp-signature]
>>>
>> You need to elaborate on a lot of things. We could only guess on who is
>> to blame here (my money is on a misconfigured dns server either be a
>> transparent dns proxy at your isp or wrongly configured one in your
>> networl). Post your /etc/hosts, /etc/resolv.conf and dmesg for starters
>> this is the initial information required for helping solving your issue.
>>
>> Cheers,
>>
>> --
>> Giancarlo Razzolini
>> GPG: 4096R/77B981BC
>>
Any DNS traffic on port 53 when you ping a new nonexistant domain (i.e.
how is ping resolving / who is it getting the IP from)?

Reply | Threaded
Open this post in threaded view
|

Re: Nonexistant domains resolve to my local domain

Stuart Henderson
In reply to this post by Hugo Osvaldo Barrera-2
Try "ASR_DEBUG=1 ping somehost" and post the result..

Reply | Threaded
Open this post in threaded view
|

Re: Nonexistant domains resolve to my local domain

Richard Toohey
In reply to this post by Zé Loff-2
On 04/10/14 21:24, Zé Loff wrote:

> On 10-04-2014 05:51, Hugo Osvaldo Barrera wrote:
>> On 2014-04-10 01:16, Giancarlo Razzolini wrote:
>>> Em 10-04-2014 00:43, Hugo Osvaldo Barrera escreveu:
>>>> Hi,
>>>>
>>>> I've having this extremely wierd issue.
>>>> My hostname is elysion.barrera.io. When I try to ping, curl, or
>>>> something
>>>> alike aDomainIReallySureDoeNotExist.com, it pings/curls/whatever
>>>> my local domain. Maybe an example can me clearer:
>>>>
>>>>    # ping adsfsdgasdadsfasfsdfasdf.net
>>>>    PING elysion.barrera.io (174.136.104.18): 56 data bytes
>>>>    64 bytes from 174.136.104.18: icmp_seq=0 ttl=255 time=0.032 ms
>>>>    64 bytes from 174.136.104.18: icmp_seq=1 ttl=255 time=0.081 ms
>>>>
> Any DNS traffic on port 53 when you ping a new nonexistant domain (i.e.
> how is ping resolving / who is it getting the IP from)?
Would ASR_DEBUG help in this case?

http://marc.info/?l=openbsd-misc&m=137908307611495&w=2

$ ASR_DEBUG=1 ping nosuchdomainexistsok.com

Reply | Threaded
Open this post in threaded view
|

Re: Nonexistant domains resolve to my local domain

Vladislav Manchev
It looks like a misconfigured split DNS to me, but that's just a wild-ass
guess.

Reply | Threaded
Open this post in threaded view
|

Re: Nonexistant domains resolve to my local domain

Hugo Osvaldo Barrera-2
In reply to this post by Hugo Osvaldo Barrera-2
On 2014-04-10 00:43, Hugo Osvaldo Barrera wrote:

> Hi,
>
> I've having this extremely wierd issue.
> My hostname is elysion.barrera.io. When I try to ping, curl, or something
> alike aDomainIReallySureDoeNotExist.com, it pings/curls/whatever
> my local domain. Maybe an example can me clearer:
>
>   # ping adsfsdgasdadsfasfsdfasdf.net
>   PING elysion.barrera.io (174.136.104.18): 56 data bytes
>   64 bytes from 174.136.104.18: icmp_seq=0 ttl=255 time=0.032 ms
>   64 bytes from 174.136.104.18: icmp_seq=1 ttl=255 time=0.081 ms
>
> dig, however, works fine:
>
>   # dig adsfsdgasdadsfasfsdfasdf.net
>   <snip>
>   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20200
>   ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>    <snip>
>
> I've tried changing nameserver to my ISP's, Google Public DNS, etc, the
> issue is always persistant (besides, dig working makes me think it's a
> local issue).
>
> Note that ALL nonexistant domain resolve to myself, never anything
> different.
>
> Any hints on where I should be looking?
>
> --
> Hugo Osvaldo Barrera
>

I got a few off-list replies that led me to the issue.
I've wildcard CNAME set up (which responds for any non-existant
subdomain":

  *.barrera.io IN CNAME elysion.barrera.io.

When resoling "nonexistant.net" fails, ping will seach for
"nonexistant.net.barrera.io".
And, well, the rest of it is pretty obvious.

So the issue wasn't on the nameserver I'm using to resolve, nor on my
local system, but rather a combination of existing DNS rescords, and my
search domain.

I guess the solution is getting rid of the wildcard domain - any other
alternatives?

Thanks,

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Reply | Threaded
Open this post in threaded view
|

Re: Nonexistant domains resolve to my local domain

Wesley MOUEDINE ASSABY
In reply to this post by Stuart Henderson
On 10.04.2014 13:41, Stuart Henderson wrote:
> Try "ASR_DEBUG=1 ping somehost" and post the result..

Very useful, where can we find informations about these kind of
variables like LD_DEBUG, ASR_DEBUG or other ??

Thank you very much

Reply | Threaded
Open this post in threaded view
|

Re: Nonexistant domains resolve to my local domain

Stuart Henderson
On 2014/04/10 17:32, Wesley wrote:
> On 10.04.2014 13:41, Stuart Henderson wrote:
> >Try "ASR_DEBUG=1 ping somehost" and post the result..
>
> Very useful, where can we find informations about these kind of
> variables like LD_DEBUG, ASR_DEBUG or other ??
>
> Thank you very much
>
>

LD_DEBUG is mentioned in ld.so(1), some of the resolver environment
variables are mentioned in resolv.conf(5), HOSTALIASES is mentioned in
hostname(7), but there's no manpage that talks about ASR_DEBUG or
ASR_CONFIG, you would need to read the source code to find those.

Reply | Threaded
Open this post in threaded view
|

Re: Nonexistant domains resolve to my local domain

Giancarlo Razzolini-3
In reply to this post by Hugo Osvaldo Barrera-2
Em 10-04-2014 01:51, Hugo Osvaldo Barrera escreveu:

>
>
> As I mentioned before, I tried different nameservers including my ISPs
> and Google's Public DNS (so a "misconfigured dns server" is extremely
> unlikely).
>
> I didn't mention any transparent proxies because there aren't any
> either. Connection is straight to the public internet.
>
> /etc/hosts:
> ::1            localhost
> 127.0.0.1      localhost
> 174.136.104.18 elysion.barrera.io
>
> /etc/resolv.conf:
> nameserver 208.79.88.7
> nameserver 208.79.88.9
>
> /etc/resolv.conf (another version):
> nameserver 8.8.8.8
>
>
Try running the www.dnsleaktest.com on that machine, if you can, to be
sure that your ISP isn't transparently intercepting your dns requests.
If they are, than that is most likely the culprit. They generally
redirect the non existent domains to some page of theirs where they will
show lots of ads.

--
Giancarlo Razzolini
GPG: 4096R/77B981BC

Reply | Threaded
Open this post in threaded view
|

Re: Nonexistant domains resolve to my local domain

Stuart Henderson
In reply to this post by Hugo Osvaldo Barrera-2
On 2014-04-10, Hugo Osvaldo Barrera <[hidden email]> wrote:
> I've wildcard CNAME set up (which responds for any non-existant
> subdomain":
>
>   *.barrera.io IN CNAME elysion.barrera.io.

ah. when people say not to use wildcard DNS records because they cause
hard to debug problems, this is exactly what they're talking about ;)