Weird Ping

I just pinged an .org address, and look at what I got:

====

[blinky@thurston ~]$ ping erwm.org
PING erwm.org.blinkynet.net (209.86.66.94) 56(84) bytes of data.

--- erwm.org.blinkynet.net ping statistics ---
13 packets transmitted, 0 received, 100% packet loss, time 11996ms

====

Why the heck would ping append *my* domain to the one I requested?

I immediately pinged another domain and that worked as usual.

Note that erwm.org was not found, but I don't recall failures behaving
that way before.

I just retried the .org ping to see if this was consistent and got the
same result. Was I just sleeping through this kind of response in the
past?

Mandriva 2006 Linux; kernel 2.6.12


--
Blinky RLU 297263
Killing all posts from Google Groups
The Usenet Improvement Project: [url]http://blinkynet.net/comp/uip5.html[/url]

On 3 Jul 2007 06:20:58 GMT, Blinky the Shark wrote:[color=blue]
> I just pinged an .org address, and look at what I got:
>
> ====
>
> [blinky@thurston ~]$ ping erwm.org
> PING erwm.org.blinkynet.net (209.86.66.94) 56(84) bytes of data.
>
> --- erwm.org.blinkynet.net ping statistics ---
> 13 packets transmitted, 0 received, 100% packet loss, time 11996ms
>
> ====
>
> Why the heck would ping append *my* domain to the one I requested?[/color]

something is realy dinked up somewhere.

$ host 209.86.66.94
94.66.86.209.in-addr.arpa domain name pointer elydm.05.am.barefruit.com.

$ whois 209.86.66.94

OrgName: EarthLink, Inc.
OrgID: ERMS
Address: 1375 PEACHTREE ST, LEVEL A
City: ATLANTA
StateProv: GA
PostalCode: 30309
Country: US

NetRange: 209.86.0.0 - 209.86.255.255
CIDR: 209.86.0.0/16
NetName: EARTHLINK2000-E

Bit Twister wrote:[color=blue]
> On 3 Jul 2007 06:20:58 GMT, Blinky the Shark wrote:[color=green]
>> I just pinged an .org address, and look at what I got:
>>
>> ====
>>
>> [blinky@thurston ~]$ ping erwm.org
>> PING erwm.org.blinkynet.net (209.86.66.94) 56(84) bytes of data.
>>
>> --- erwm.org.blinkynet.net ping statistics ---
>> 13 packets transmitted, 0 received, 100% packet loss, time 11996ms
>>
>> ====
>>
>> Why the heck would ping append *my* domain to the one I requested?[/color]
>
> something is realy dinked up somewhere.[/color]

That's what I was thinking. :)
[color=blue]
> $ host 209.86.66.94
> 94.66.86.209.in-addr.arpa domain name pointer elydm.05.am.barefruit.com.
>
> $ whois 209.86.66.94
>
> OrgName: EarthLink, Inc.
> OrgID: ERMS
> Address: 1375 PEACHTREE ST, LEVEL A
> City: ATLANTA
> StateProv: GA
> PostalCode: 30309
> Country: US
>
> NetRange: 209.86.0.0 - 209.86.255.255
> CIDR: 209.86.0.0/16
> NetName: EARTHLINK2000-E[/color]

FWIW, I'm using Earthlink.


--
Blinky RLU 297263
Killing all posts from Google Groups
The Usenet Improvement Project: [url]http://blinkynet.net/comp/uip5.html[/url]

Bit Twister wrote:
[color=blue]
> something is realy dinked up somewhere.
>
> $ host 209.86.66.94
> 94.66.86.209.in-addr.arpa domain name pointer elydm.05.am.barefruit.com.
>
> $ whois 209.86.66.94
>
> OrgName: EarthLink, Inc.
> OrgID: ERMS
> Address: 1375 PEACHTREE ST, LEVEL A
> City: ATLANTA
> StateProv: GA
> PostalCode: 30309
> Country: US
>
> NetRange: 209.86.0.0 - 209.86.255.255
> CIDR: 209.86.0.0/16
> NetName: EARTHLINK2000-E[/color]
=============================================
I tried the above as well :
[frank@localhost ~]$ host 209.86.66.94
94.66.86.209.in-addr.arpa domain name pointer elydm.05.am.barefruit.com.

[frank@localhost ~]$ whois 209.86.66.94
bash: whois: command not found
[frank@localhost ~]$

Also there is no man whois

How to invoke whois ?

TIA

Frank

Highland Ham wrote:[color=blue]
> Bit Twister wrote:
>[color=green]
>> something is realy dinked up somewhere.
>>
>> $ host 209.86.66.94
>> 94.66.86.209.in-addr.arpa domain name pointer elydm.05.am.barefruit.com.
>>
>> $ whois 209.86.66.94
>>
>> OrgName: EarthLink, Inc. OrgID: ERMS
>> Address: 1375 PEACHTREE ST, LEVEL A
>> City: ATLANTA
>> StateProv: GA
>> PostalCode: 30309
>> Country: US
>>
>> NetRange: 209.86.0.0 - 209.86.255.255 CIDR: 209.86.0.0/16
>> NetName: EARTHLINK2000-E[/color]
> =============================================
> I tried the above as well :
> [frank@localhost ~]$ host 209.86.66.94
> 94.66.86.209.in-addr.arpa domain name pointer elydm.05.am.barefruit.com.
>
> [frank@localhost ~]$ whois 209.86.66.94
> bash: whois: command not found
> [frank@localhost ~]$
>
> Also there is no man whois
>
> How to invoke whois ?
>
> TIA
>
> Frank[/color]
===============================
Forgot to say that I am using MDV 2007.1

Frank
[color=blue]
>
>
>
>
>
>
>[/color]

On Tue, 03 Jul 2007 14:26:59 +0100, Highland Ham wrote:[color=blue]
>
> [frank@localhost ~]$ whois 209.86.66.94
> bash: whois: command not found
> [frank@localhost ~]$
>
> Also there is no man whois
>
> How to invoke whois ?[/color]

Well, the answer to your _question_ is, a
$ type whois
whois is /usr/bin/whois

would suggest that if /usr/bin is in your path,
$ echo $PATH

then doing a
whois ip|name_here
would invoke whois.

Now, the answer to your /problem/ is, click up a terminal
su - root

urpmi --wget whois --auto
exit

whois 209.86.66.94

On 3 Jul 2007 08:17:39 GMT, Blinky the Shark wrote:
[color=blue]
> FWIW, I'm using Earthlink.[/color]

Ok, now you can start diging servers to see who is lying to you. Example:

dig yahoo.com @ip.addy
^ ^
| |
| `---------- dns server ip to dig with
`---- name or ip to have server look up.

Bit Twister wrote:[color=blue]
> On 3 Jul 2007 08:17:39 GMT, Blinky the Shark wrote:
>[color=green]
>> FWIW, I'm using Earthlink.[/color]
>
> Ok, now you can start diging servers to see who is lying to you. Example:
>
> dig yahoo.com @ip.addy
> ^ ^
> | |
> | `---------- dns server ip to dig with
> `---- name or ip to have server look up.[/color]

How do I determine what dns server to specify?

FWIW, without that parameter, I got:



[root@thurston blinky]# dig erwm.com

; <<>> DiG 9.3.1 <<>> erwm.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21508
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;erwm.com. IN A

;; ANSWER SECTION:
erwm.com. 43200 IN A 66.226.64.7

;; AUTHORITY SECTION:
erwm.com. 43200 IN NS ns1.abac.com.
erwm.com. 43200 IN NS ns2.abac.com.

;; ADDITIONAL SECTION:
ns1.abac.com. 1666 IN A 216.55.128.4

;; Query time: 210 msec
;; SERVER: 207.69.188.187#53(207.69.188.187)
;; WHEN: Tue Jul 3 11:53:10 2007
;; MSG SIZE rcvd: 99



--
Blinky RLU 297263
Killing all posts from Google Groups
The Usenet Improvement Project: [url]http://blinkynet.net/comp/uip5.html[/url]

On 3 Jul 2007 18:56:17 GMT, Blinky the Shark wrote:[color=blue]
> Bit Twister wrote:[/color]
[color=blue][color=green]
>> Ok, now you can start diging servers to see who is lying to you. Example:
>>
>> dig yahoo.com @ip.addy
>> ^ ^
>> | |
>> | `---------- dns server ip to dig with
>> `---- name or ip to have server look up.[/color]
>
> How do I determine what dns server to specify?[/color]

Each server has it's dns server list. When the resolver can not find
the item, it hands off the request to the next DNS.

You have dns ip addresses in your /etc/resolv.conf.
You might have them your router/firewall.
Your ISP has local dns servers they tell customers to use.
Your ISP has global dns servers anyone can use to find the ISP
machines/customers

Then dns resolutions go up the chain until it comes back down to the
service provider who realy knows the target ip/FQDN. It returns the
requested information back to you.

[color=blue]
>
> FWIW, without that parameter, I got:
>
> [root@thurston blinky]# dig erwm.com[/color]
[color=blue]
>
> ;; Query time: 210 msec
> ;; SERVER: 207.69.188.187 <==== who responed with the answer[/color]

Bit Twister wrote:[color=blue]
> On Tue, 03 Jul 2007 14:26:59 +0100, Highland Ham wrote:[color=green]
>> [frank@localhost ~]$ whois 209.86.66.94
>> bash: whois: command not found
>> [frank@localhost ~]$
>>
>> Also there is no man whois
>>
>> How to invoke whois ?[/color]
>
> Well, the answer to your _question_ is, a
> $ type whois
> whois is /usr/bin/whois
>
> would suggest that if /usr/bin is in your path,
> $ echo $PATH
>
> then doing a
> whois ip|name_here
> would invoke whois.
>
> Now, the answer to your /problem/ is, click up a terminal
> su - root
>
> urpmi --wget whois --auto
> exit
>
> whois 209.86.66.94[/color]
================================
Hi BT ,tnx a bunch , all ok now .........I am a slow learner .
I often follow-up instructions re problems others have ;the above topic
was one of those.

Frank

On Tue, 03 Jul 2007 20:49:50 +0100, Highland Ham wrote:
[color=blue]
> I often follow-up instructions re problems others have[/color]

Me too. I would much rather gain troubleshooting/linux experience
troubleshooting problems on their machines rather than have to
find/fix those problems on my machine. 8-)

On 3 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
<slrnf8jql3.aph.no.spam@thurston.blinkynet.net>, Blinky the Shark wrote:
[color=blue]
>I just pinged an .org address, and look at what I got:
>
>====
>
>[blinky@thurston ~]$ ping erwm.org
>PING erwm.org.blinkynet.net (209.86.66.94) 56(84) bytes of data.
>
>--- erwm.org.blinkynet.net ping statistics ---
>13 packets transmitted, 0 received, 100% packet loss, time 11996ms
>
>====
>
>Why the heck would ping append *my* domain to the one I requested?[/color]

Long story - short answer is you told it to. Man resolver, and look at
the "search" directive. (Also look at the "domain" directive, both of
which can cause some really strange results as you show here.) Then
fix your /etc/resolv.conf file as needed.
[color=blue]
>I immediately pinged another domain and that worked as usual.[/color]

OK
[color=blue]
>Note that erwm.org was not found, but I don't recall failures behaving
>that way before.[/color]

The domain exists (registered a couple days ago), but the name server that's
supposed to be authoratative isn't responding.

Ah, and that exposes another problem somewhere.

What happened is that your resolver tried to look up 'erwm.org', and got
a NXDOMAIN answer from the name server you asked. Your resolver then
followed your directions, and tried again asking about the original
name EXPANDED with the results of the 'search' or 'domain' name. Now
whoever is running the DNS for blinkynet.net may have a wild-card
in the zonefile (if the name doesn't match anything, return "this"
value) and somehow that answer came back as 209.86.66.94, which you
then pinged (use the -c option to cut down the number of pings), and
that host isn't responding to a ping.

So, 1) fix the /etc/resolv.conf file, and 2) ask who ever is running
the DNS server for 'blinkynet.net' WTF.
[color=blue]
>Was I just sleeping through this kind of response in the past?[/color]

Hard to say - when did you change /etc/resolv.conf, and when did the
zone file get mucked with? I just tried 'erwm.org.blinkynet.net'
here, and the result is the proper NXDOMAIN, so maybe the wild card
has been fixed.

Old guy

Moe Trin wrote:
[color=blue]
> On 3 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in
> article <slrnf8jql3.aph.no.spam@thurston.blinkynet.net>, Blinky
> the Shark wrote:
>[color=green]
>>I just pinged an .org address, and look at what I got:
>>
>>====
>>
>>[blinky@thurston ~]$ ping erwm.org
>>PING erwm.org.blinkynet.net (209.86.66.94) 56(84) bytes of data.
>>
>>--- erwm.org.blinkynet.net ping statistics ---
>>13 packets transmitted, 0 received, 100% packet loss, time
>>11996ms
>>
>>====
>>
>>Why the heck would ping append *my* domain to the one I
>>requested?[/color]
>
> Long story - short answer is you told it to. Man resolver, and
> look at the "search" directive. (Also look at the "domain"
> directive, both of which can cause some really strange results
> as you show here.) Then fix your /etc/resolv.conf file as
> needed.
>[color=green]
>>I immediately pinged another domain and that worked as usual.[/color]
>
> OK
>[color=green]
>>Note that erwm.org was not found, but I don't recall failures
>>behaving that way before.[/color]
>
> The domain exists (registered a couple days ago), but the name
> server that's supposed to be authoratative isn't responding.
>
> Ah, and that exposes another problem somewhere.
>
> What happened is that your resolver tried to look up 'erwm.org',
> and got a NXDOMAIN answer from the name server you asked. Your
> resolver then followed your directions, and tried again asking
> about the original name EXPANDED with the results of the
> 'search' or 'domain' name. Now whoever is running the DNS for
> blinkynet.net may have a wild-card in the zonefile (if the name
> doesn't match anything, return "this" value) and somehow that
> answer came back as 209.86.66.94, which you then pinged (use the[/color]

*I* only pinged once. erwm.com
[color=blue]
> -c option to cut down the number of pings), and that host isn't
> responding to a ping.
>
> So, 1) fix the /etc/resolv.conf file, and 2) ask who ever is
> running the DNS server for 'blinkynet.net' WTF.[/color]

By now, my head is just bleeding.

I think I'll just hope it doesn't happen again. :)
[color=blue][color=green]
>>Was I just sleeping through this kind of response in the past?[/color]
>
> Hard to say - when did you change /etc/resolv.conf, and when did
> the zone file get mucked with? I just tried
> 'erwm.org.blinkynet.net' here, and the result is the proper
> NXDOMAIN, so maybe the wild card has been fixed.[/color]

I dunno. Maybe last year. When the OS was installed.

--
Blinky
Killfiling all posts from Google Groups
Details: [url]http://blinkynet.net/comp/uip5.html[/url]

Moe Trin wrote:[color=blue]
> On 3 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
> <slrnf8jql3.aph.no.spam@thurston.blinkynet.net>, Blinky the Shark wrote:
>[color=green]
>> I just pinged an .org address, and look at what I got:
>>
>> ====
>>
>> [blinky@thurston ~]$ ping erwm.org
>> PING erwm.org.blinkynet.net (209.86.66.94) 56(84) bytes of data.
>>
>> --- erwm.org.blinkynet.net ping statistics ---
>> 13 packets transmitted, 0 received, 100% packet loss, time 11996ms
>>
>> ====
>>
>> Why the heck would ping append *my* domain to the one I requested?[/color]
>
> Long story - short answer is you told it to. Man resolver, and look at
> the "search" directive. (Also look at the "domain" directive, both of
> which can cause some really strange results as you show here.) Then
> fix your /etc/resolv.conf file as needed.
>[color=green]
>> I immediately pinged another domain and that worked as usual.[/color]
>
> OK
>[color=green]
>> Note that erwm.org was not found, but I don't recall failures behaving
>> that way before.[/color]
>
> The domain exists (registered a couple days ago), but the name server that's
> supposed to be authoratative isn't responding.
>
> Ah, and that exposes another problem somewhere.
>
> What happened is that your resolver tried to look up 'erwm.org', and got
> a NXDOMAIN answer from the name server you asked. Your resolver then
> followed your directions, and tried again asking about the original
> name EXPANDED with the results of the 'search' or 'domain' name. Now
> whoever is running the DNS for blinkynet.net may have a wild-card
> in the zonefile (if the name doesn't match anything, return "this"
> value) and somehow that answer came back as 209.86.66.94, which you
> then pinged (use the -c option to cut down the number of pings), and
> that host isn't responding to a ping.
>
> So, 1) fix the /etc/resolv.conf file, and 2) ask who ever is running
> the DNS server for 'blinkynet.net' WTF.
>[color=green]
>> Was I just sleeping through this kind of response in the past?[/color]
>
> Hard to say - when did you change /etc/resolv.conf, and when did the
> zone file get mucked with? I just tried 'erwm.org.blinkynet.net'
> here, and the result is the proper NXDOMAIN, so maybe the wild card
> has been fixed.
>
> Old guy[/color]

In addition to the above, I note you tried ping erwm.org
but later tried dig erwm.com. Different things entirely.

[jim@jb geneal]$ ping erwm.org
ping: unknown host erwm.org

[jim@jb geneal]$ ping erwm.com
PING erwm.com (66.226.64.7) 56(84) bytes of data.
64 bytes from pro6.abac.com (66.226.64.7): icmp_seq=1 ttl=50 time=76.9 ms
64 bytes from pro6.abac.com (66.226.64.7): icmp_seq=2 ttl=50 time=77.3 ms
--- erwm.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 76.980/77.185/77.390/0.205 ms

erwm.org is registered, but seems not to be in operation.

Domain ID:D148209117-LROR
Domain Name:ERWM.ORG
Created On:23-Jun-2007 01:49:58 UTC
Last Updated On:23-Jun-2007 01:53:23 UTC
Expiration Date:23-Jun-2008 01:49:58 UTC
Sponsoring Registrar:Go Daddy Software, Inc. (R91-LROR)


Cheers!

jim b.

--
UNIX is not user-unfriendly; it merely
expects users to be computer-friendly.

On 3 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
<Xns9962ACA908429bnooz@maryann.blinkynet.net>, Blinky the Shark wrote:
[color=blue]
>Moe Trin wrote:[/color]
[color=blue][color=green]
>> Blinky the Shark wrote:[/color][/color]
[color=blue][color=green][color=darkred]
>>>Why the heck would ping append *my* domain to the one I
>>>requested?[/color][/color][/color]

Actually, it wasn't ping - it was the resolver code in the kernel
[color=blue][color=green]
>> Long story - short answer is you told it to. Man resolver, and
>> look at the "search" directive. (Also look at the "domain"
>> directive, both of which can cause some really strange results
>> as you show here.) Then fix your /etc/resolv.conf file as
>> needed.[/color][/color]

This is also an example of the security problem that the two multicast
DNS (microsoft got RFC4795 adopted as an INFORMATIONAL RFC, but an
incompatible competing version from Apple - included in some Linux
distributions as "Avahi") opens up for. You ask for the address of
your_bank.com while unable to reach a name server, Avahi then trys
a multicast DNS query for your_bank.com.the_domain_in_the_search.line)
and some cracker's box responds with "that.is.my.address" and they
may now have your username and pass-code. Not a good deal.
[color=blue][color=green]
>> What happened is that your resolver tried to look up 'erwm.org',
>> and got a NXDOMAIN answer from the name server you asked.[/color][/color]

or more likely, no response at all
[color=blue][color=green]
>> Your resolver then followed your directions, and tried again asking
>> about the original name EXPANDED with the results of the
>> 'search' or 'domain' name.[/color][/color]

As I said - security problem.
[color=blue]
>*I* only pinged once. erwm.com[/color]

You write 'erwm.com' here, but your original post showed erwm.org.
Two different domains. One is in New York (.com) and the other in
Texas (.org).
[color=blue][color=green]
>> -c option to cut down the number of pings), and that host isn't
>> responding to a ping.[/color][/color]

Minor sore point with me. If it doesn't answer three pings (-c 3), it
probably isn't going to answer in a hundred. Three is _usually_ enough
to establish that the connection works - anything more might be
considered abuse.
[color=blue][color=green]
>> 2) ask who ever is running the DNS server for 'blinkynet.net' WTF.[/color][/color]
[color=blue]
>By now, my head is just bleeding.[/color]

Are you the owner of the DNS zonefiles, or is downtownhost.com the
responsible party? A "wildcard" entry in the zonefile itself would
be a star, or "*.blinkynet.net" pointing at a single address. I don't
see it mentioned in the DNS-HOWTO, but it's mentioned in the "Cricket
Book" ("DNS and BIND" from O'Reilly).
[color=blue]
>I think I'll just hope it doesn't happen again. :)[/color]

Quick check - does a DNS query for "totally.unknown.host.blinkynet.net"
or "totally.bogus.hostname.blinkynet.net" return anything other that
"sorry, no cigar"? If it replies with an IP address, you have a
wildcard problem - if it doesn't, you're fine.

Old guy

Moe Trin wrote:
[color=blue]
> On 3 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in
> article <Xns9962ACA908429bnooz@maryann.blinkynet.net>, Blinky
> the Shark wrote:[color=green]
>>I think I'll just hope it doesn't happen again. :)[/color][/color]
[color=blue]
> Quick check - does a DNS query for
> "totally.unknown.host.blinkynet.net" or
> "totally.bogus.hostname.blinkynet.net" return anything other
> that "sorry, no cigar"? If it replies with an IP address, you
> have a wildcard problem - if it doesn't, you're fine.[/color]

I'm on the road, and won't be using that system or OS for a few
days.

--
Blinky
Killfiling all posts from Google Groups
Details: [url]http://blinkynet.net/comp/uip5.html[/url]

On 3 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
<slrnf8l6t9.nu3.no.spam@thurston.blinkynet.net>, Blinky the Shark wrote:
[color=blue]
>How do I determine what dns server to specify?[/color]

If you don't specify a DNS server, these query tools (dig, dnsquery,
host, nslookup) use one of the name server listed in /etc/resolv.conf.
However to find the "authoritative" name servers, there are several
ways. First is to use a whois query to get the information from the
appropriate registrar. In the case of "erwm.com', the initial whois
query of Notwork Solutions points me to whois.names4ever.com, and
asking them yields (among other things):

Domain servers in listed order:
ns1.abac.com 216.55.128.4
ns2.abac.com

(looks like names4ever.com doesn't know the IP of the second server).
A problem here is that Notwork Solutions only knows about a few top
level domains. Finding others can be fun, as there is no standard to
the name schemes - whois.dns.be, whois.cat, whois.nic.ch, whois.nic.cz,
whois.denic.de, whois.dk-hostmaster.dk, whois.nic.fr... at least MOST
of them begin with "whois.something" but this is not true for everyone.

Another solution, which USUALLY works is to query using your nameserver
to find all (or at least the NS records) for the domain.

[compton ~]$ host -t NS erwm.com
erwm.com name server ns1.abac.com
erwm.com name server ns2.abac.com
[compton ~]$

I'm using 'host' but all of these tools have the identical function
(man page says 'dig' wants 'dig erwm.com ns' - sounds good to me).
[color=blue]
>[root@thurston blinky]# dig erwm.com[/color]
[color=blue]
>;; AUTHORITY SECTION:
>erwm.com. 43200 IN NS ns1.abac.com.
>erwm.com. 43200 IN NS ns2.abac.com.
>
>;; ADDITIONAL SECTION:
>ns1.abac.com. 1666 IN A 216.55.128.4[/color]

and there is the answer as well.

Old guy