I came across a weird one this morning while doing a check of our DNS name servers
When i did a lookup for google.com against our authoritive name servers, they were returning NXDOMAIN – this is not what it should be returning (should be returning SERVFAIL or REFUSED)! These servers are neither authorised for google.com OR resolvers!
All signs pointed to a misconfiguration, but no changes had taken place in months! And the last check for things like this returned clean.
The end result:
Someone had put a space in for the name of a SOA record!
I dived in to MySQL and ran this
select * from powerdns.records where name = ‘ ‘; (note the space between the quotes)
And found 1 record. Fixing that returned everything to normal again (returning SERVFAIL)
The before dig looked like this:
[root@usa ~]# dig A google.com @ns1.xxxxx.com.au ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.5 <<>> A google.com @ns1.xxxxx.com.au ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55583 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;google.com. IN A ;; AUTHORITY SECTION: . 3600 IN SOA ns1.XXXX.com.au. hostmaster.XXXX.com.au. 2013091305 28800 7200 604800 86400 ;; Query time: 228 msec ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx) ;; WHEN: Tue Sep 24 22:43:11 2013 ;; MSG SIZE rcvd: 91 [root@usa ~]# It should have looked like this: [root@usa ~]# dig A google.com @ns1.xxxxx.com.au ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.5 <<>> A google.com @ns1.xxxxx.com.au ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44150 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;google.com. IN A ;; Query time: 232 msec ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx) ;; WHEN: Tue Sep 24 22:46:40 2013 ;; MSG SIZE rcvd: 28 [root@usa ~]# Hopefully this will help someone along the way!
