Web Development and stuff…

At work we have a local dev box. This box is running Ubuntu 8.04 and some tools we need for developing. Nothing special. This box get’s it’s IP address from the DHCP server that runs on the router. And this caused some problems because we are running a local DNS server for the dev box. Mainly to use internal domains for testing.

To make this work we changed the resolv.conf to use the new local DNS server. This works fine wouldn’t it be for Ubuntu changing the file back to it’s original settings on every DHCP request. So every 900 sec the file gets overwritten. To solve this the first time i simply made the file read only. This however caused some problems with the DHCP client requesting an IP address over and over again. This caused the load on the dev box to rise….

Further inspection showed that it’s the dhclient-script the overwrites the resolv.conf file. I tried commenting out parts of the dhclient-script. But this just created more problems. So i did a search on the Ubuntu package list. And found a promising program called resolvconf. This program takes over from resolv.conf. And with this program installed it’s possible to make permanent changes without creating any problems.

After installing the package and doing a search for resolvconf. I found a directory in /etc which had a resolv.conf inside. This seemed to be the template used for overwriting the original resolv.conf. After changing this file all problems were resolved.

/etc/resolvconf/run/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND — YOUR CHANGES WILL BE OVERWRITTEN
search example.com
domain example.com
nameserver xxx.xxx.x.xx

*Update

After googling some more. I think i found a better way to solve this problem. And probably the only way to solve this. No need to install any extra software. Just edit the dhclient config file.

change the following lines in /etc/dhcp3/dhclient.conf

supersede domain-name “example.com”
prepend domain-name-server xxx.xxx.xxx.1, xxx.xxx.xxx.2

Yesterday was a weird day. Nothing seemed to go as it should have. My coworker Marius noticed that one of my domains was not responding anymore. We tried to ping it. But forgot that our admins block outbound ICMP packages. At least we could see the domain resolved to the correct IP address.

So we did a lookup on the domain. No weird things here. Then we decided to ping the name servers to see if they were responding. They were. But there was something strange. The domain in question runs on two name servers. namely ns1.cker.sc and ns2.cker.sc. ns1 was responding correctly. ns2 however was responding with a totally different and unknown IP address. This is weird. The normal settings would be:

ns1.cker.sc ( 208.69.125.116 )
ns2.cker.sc ( 208.69.125.117 )

ns2 however responded with 208.69.34.132. The whois database at ripe.net told us it was in the IANA pool of addresses. But we couldn’t find a whois tool there. So i opened up a browser to go directly to this IP address. This showed a temporary OpenDNS page. Off to domaintools.com to do a reverse lookup on this IP.

This revealed one domain matching this IP address. Some weird long domain name. At first i was thinking somebody highjacked my DNS server or maybe some DNS cache poisoning. But after looking closely i noticed the domain was actually readable. The domain returned was : Caffefiaschetteriaitaliana.com. A google search returned some italian cafe with almost the same domain. fiaschetteriaitaliana.it.

So we decided to do a whois query on the .com domain. This revealed some email addresses with similar domains. And technical contacts from aruba.it. By now we had the feeling somebody made a configuration error. So i decided to send an email to all the addresses matching this domain including OpenDNS. And after about an hour the nameserver was responding correctly again. So they either corrected a mistake or it was just a temporary fluke. I never got a reply from any of the addresses i wrote to.

Although i’m happy the nameservers are responding properly again. I’m still stuck with the question. What the hell happened here? The most logical scenario for me is still a configuration error.

UPDATE: 12-08-2008

After some digging. I found out that the ip address “208.69.34.132″ actually belongs to opendns.com. When a non existing sub -/ domain is quieried. This ip is returned. It’s just a way to make money from ads. the network i was connected to at that moment uses an opendns.com DNS cache server. That explains that part.