Re: dig with and without +norec

Ladislav Vobr wrote:
>> Ladislav> ... referral answer snipped ....
>>
>>There will probably be a firewall or router in front of 192.168.8.91
>>that's blocking recursive DNS queries. This would not be unreasonable
>>if the administrator of 192.168.8.91 didn't want that server to handle
>>recursive DNS queries.
>
>
> jim, that administrator is me :-), there is a pix firewal, but I don't
> have problem answering other recursive queries, and I don't have local
> network problems.
Jim might be right for the wrong reason.

>From here I get ID mismatch querying any of the af.mil servers, which I
would expect a good firewall to toss out and possibly log, since it
suggests a spoofing attack. In the absence of a good firewall BIND 9
happily worries about them instead.

Broken DNS servers(?) - now whether they are deliberately broken is the
question, but my guess is some misguided load balancing or routing hack
- of course someone could be trying to spoof af.mil but I think that the
least likely explanation, as spoofers would do a better job.

Since I'm using a UK ISP connection - doesn't look like a conspiracy
against the middle east - unless the Whitehouse are very upset with
Claire Short ;)

$ dig @198.220.211.145 af.mil ns
;; reply from unexpected source: 127.0.0.1#53, expected 198.220.211.145#53
;; Warning: ID mismatch: expected ID 35420, got 12807
;; reply from unexpected source: 127.0.0.1#53, expected 198.220.211.145#53
;; Warning: ID mismatch: expected ID 35420, got 12807

Traceroutes don't shed any light on the routing, but in good traditional
Internet style my queries to EUR1.NIPR.MIL route via New York, maybe I'm
reading too much into the "EUR".


-- Attached file included as plaintext by Ecartis --
-- File: signature.asc
-- Desc: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAQIbvGFXfHI9FVgYRAg9XAJ0Vjb2op3wH1lIHsXXCDN 9N8u/fhACfZqcf
j3Vym1udN6JFa5pJznMNK9g=
=Za7A
-----END PGP SIGNATURE-----