SUMMARY (so far, revised): DNS trafic out of domain for local mail

From: Claude Marinier (MARINIER@emp.ewd.dreo.dnd.ca)
Date: Sun Jan 30 1994 - 19:12:41 CST


Hi again,

(I may have sent an empty message a minute ago. Appologies.)

This is an update. The problem can be summarized as follows: When
someone sends mail within our domain, there is DNS trafic from our DNS
server to DNS servers outside our domain. This makes us dependent on the
domain above us. It has been a thorn in the boss' side for about a year
now. I have been tasked with solving this problem. I have done much
testing and have boiled the problem down to the following.

I used telnet from cps-adm.cps.dreo.dnd.ca to c-ps-sun.cps.dreo.dnd.ca
to connect to port 25. I was at the same time using snoop (running on
valet.dreo.dnd.ca) to record trafic to and from c-ps-sun. There were two
bursts of trafic: one when I did the telnet and one when I entered the
"mail from: marinier@cps-adm.cps.dreo.dnd.ca". I have so far ignored the
first burst, but may have to re-consider that. A similar telnet without
the port number does not produce any DNS trafic.

c-ps-sun should have resolved that address from its own databases (or
from the cache if local stuff ends up there). It did resolve the address
but first it went out to two DNS servers. As can be seen from the snoop
output, the address has been mangled. At least it looks like that. The
first question is: Am I interpreting the snoop output correctly when I
say that it was a query on cps-adm.cps.dreo.dnd.ca.dreo.dnd.ca?

Even stranger still, the two DNS servers which c-ps-sun is interrogating
are designated servers for the domain dnd.ca (not dreo.dnd.ca).

[Note that I have removed some lines from the snoop output and manually
wrapped others.]

First burst (coinciding with telnet c-ps-sun.cps.dreo.dnd.ca 25):

DLC: ----- DLC Header -----
DLC:
DLC: Frame 1 arrived at 12:11:10.32 ; frame size is 95 (005F hex) bytes.
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Source address = [131.136.35.2], c-ps-sun.cps.dreo.dnd.ca
IP: Destination address = [192.12.98.13], netfs.dnd.ca
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 53
UDP: Destination port = 53 (DNS)
UDP: Length = 61
UDP: No checksum
UDP:
DNS: ----- DNS: -----
DNS:
DNS: "\17\361\0\0\0\1\0\0\0\0\0\0\7cps-adm\3cps\4dreo\3dnd\2ca
       \4dreo\3dnd\2ca\0\0\1\0\1"
DNS:
DNS: [Normal end of "DNS: ".]
DNS:
DNS:

DLC: ----- DLC Header -----
DLC:
DLC: Frame 2 arrived at 12:11:10.32 ; frame size is 164 (00A4 hex) bytes.
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Source address = [192.12.98.13], netfs.dnd.ca
IP: Destination address = [131.136.35.2], c-ps-sun.cps.dreo.dnd.ca
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 53
UDP: Destination port = 53 (DNS)
UDP: Length = 130
UDP: No checksum
UDP:
DNS: ----- DNS: -----
DNS:
DNS: "\17\361\204\203\0\1\0\0\0\1\0\0\7cps-adm\3cps\4dreo\3dnd\2ca
       \4dreo\3dnd\2ca\0\0\1\0\1\4dreo\3D"
DNS:
DNS: [Normal end of "DNS: ".]
DNS:
DNS:

DLC: ----- DLC Header -----
DLC:
DLC: Frame 3 arrived at 12:11:10.34 ; frame size is 90 (005A hex) bytes.
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Source address = [131.136.35.2], c-ps-sun.cps.dreo.dnd.ca
IP: Destination address = [192.12.98.2], ncs.dnd.ca
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 53
UDP: Destination port = 53 (DNS)
UDP: Length = 56
UDP: No checksum
UDP:
DNS: ----- DNS: -----
DNS:
DNS: ""
DNS:
DNS: [Normal end of "DNS: ".]
DNS:
DNS:

DLC: ----- DLC Header -----
DLC:
DLC: Frame 4 arrived at 12:11:10.34 ; frame size is 156 (009C hex) bytes.
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Source address = [192.12.98.2], ncs.dnd.ca
IP: Destination address = [131.136.35.2], c-ps-sun.cps.dreo.dnd.ca
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 53
UDP: Destination port = 53 (DNS)
UDP: Length = 122
UDP: No checksum
UDP:
DNS: ----- DNS: -----
DNS:
DNS: ""
DNS:
DNS: [Normal end of "DNS: ".]
DNS:

Second burst (coinciding with mail from: marinier@cps-adm.cps.dreo.dnd.ca):

DLC: ----- DLC Header -----
DLC:
DLC: Frame 1 arrived at 12:12:55.57 ; frame size is 79 (004F hex) bytes.
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Source address = [131.136.35.2], c-ps-sun.cps.dreo.dnd.ca
IP: Destination address = [192.12.98.13], netfs.dnd.ca
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 53
UDP: Destination port = 53 (DNS)
UDP: Length = 45
UDP: No checksum
UDP:
DNS: ----- DNS: -----
DNS:
DNS: ""
DNS:
DNS: [Normal end of "DNS: ".]
DNS:
DNS:

DLC: ----- DLC Header -----
DLC:
DLC: Frame 2 arrived at 12:12:55.57 ; frame size is 148 (0094 hex) bytes.
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Source address = [192.12.98.13], netfs.dnd.ca
IP: Destination address = [131.136.35.2], c-ps-sun.cps.dreo.dnd.ca
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 53
UDP: Destination port = 53 (DNS)
UDP: Length = 114
UDP: No checksum
UDP:
DNS: ----- DNS: -----
DNS:
DNS: ""
DNS:
DNS: [Normal end of "DNS: ".]
DNS:
DNS:

DLC: ----- DLC Header -----
DLC:
DLC: Frame 3 arrived at 12:12:55.59 ; frame size is 74 (004A hex) bytes.
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Source address = [131.136.35.2], c-ps-sun.cps.dreo.dnd.ca
IP: Destination address = [192.12.98.2], ncs.dnd.ca
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 53
UDP: Destination port = 53 (DNS)
UDP: Length = 40
UDP: No checksum
UDP:
DNS: ----- DNS: -----
DNS:
DNS: ""
DNS:
DNS: [Normal end of "DNS: ".]
DNS:
DNS:

DLC: ----- DLC Header -----
DLC:
DLC: Frame 4 arrived at 12:12:55.59 ; frame size is 140 (008C hex) bytes.
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Source address = [192.12.98.2], ncs.dnd.ca
IP: Destination address = [131.136.35.2], c-ps-sun.cps.dreo.dnd.ca
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 53
UDP: Destination port = 53 (DNS)
UDP: Length = 106
UDP: No checksum
UDP:
DNS: ----- DNS: -----
DNS:
DNS: ""
DNS:
DNS: [Normal end of "DNS: ".]
DNS:

---------------
Claude Marinier
claude.marinier@dreo.dnd.ca



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:55 CDT