Wrong DNS answer with CNAME and A Record at the same time

cachedomain-name-systemspoofing

We had a customer which has set a CNAME Record for his domain. Somehow he managed it to set an A Record too, which should be not possible and is forbidden by DNS. But the result was:

$ dig @ns1.your-server.de tippspiel-bl1.unternehmen-frische.de 
...
;; ANSWER SECTION:
tippspiel-bl1.unternehmen-frische.de. 7200 IN CNAME www.kicktipp.de.
tippspiel-bl1.unternehmen-frische.de. 7200 IN A 78.46.10.156

The second record is illegal. But this led to some confusion of other caching DNS Server which returned 78.46.10.156 when they were asked about www.kicktipp.de. But this is completely wrong.

The other DNS server used both answers and were mixing them. End result: Users visiting www.kicktipp.de were send to 78.46.10.156 which is the IP of unternehmen-frische.de

It seems that I can hijack a domain when setting DNS for a domain with a CNAME and an A Record. Is this a known bug? How can I protect my domain against it?

Best Answer

To specifically address your question(s):

No, this is not a frequently experienced issue. That said, poisoning does happen, but it generally relies on spoofed replies and not an A record living alongside a CNAME. DNSSEC was designed with the poisoning attacks in mind.
If DNSSEC were implemented here, it would be clear to validating resolvers that the A record was not signed by you. There's nothing else that you could do within your own zone that would have had an influence on this problem.

Since you lack additional information, you will have to take the matter up with your ISP. The most applicable standard defining RFC to quote from is RFC2181 as it less ambiguous than RFC1034 on the subject of CNAMEs coexisting with other data. (RFC1034 frowns on it, RFC2181 forbids it unless the records are DNSSEC related)

All of this said, I'm somewhat skeptical of the problem being exactly as you described. It would be a screwy bug indeed for tippspiel-bl1.unternehmen-frische.de. IN A to cause a collision on www.kicktipp.de. IN A.

Related Solutions

DNS – How to Test Glue Record

Glue records only ever exist in the parent zone of a domain name.

Hence in the case of your example.org domain name, first find the .org name servers:

% dig +short org. NS
a0.org.afilias-nst.info.
a2.org.afilias-nst.info.
b0.org.afilias-nst.org.
b2.org.afilias-nst.org.
c0.org.afilias-nst.info.
d0.org.afilias-nst.org.

Then, for as many of these as you feel like testing, explicitly ask those name servers for the NS records for your domain:

% dig +norec @a0.org.afilias-nst.info. example.org. NS

You should get back the correct list of NS records in the "AUTHORITY SECTION". For any name servers that have correctly configured glue you should see those glue A (and/or AAAA) records appear in the "ADDITONAL SECTION".

DNS Subdomain Delegation Issue – Troubleshooting Guide

I'd first make sure you're getting ns1/2.provider-dns.com back as an answer to this query:

dig subdomain.example.com ns

You might also want to check that the zone is loaded on the nameservers to which you've delegated. Check that you get a correct serial number back:

dig @ns1.provider-dns.com subdomain.example.com soa

If that isn't working, check with whomever is running ns1/2.provider-dns.com to make sure your zone is being loaded.

Best Answer

Related Solutions

DNS – How to Test Glue Record

DNS Subdomain Delegation Issue – Troubleshooting Guide

Related Topic