Since many months I’m seeing the following issue with Avira‘s DNS setup, and I’m thinking it’s extremely embarassing for a company working in IT Security not to even get the basics right… 🙁

This is what I’m seeing:

named[2597]: DNS format error from 89.146.248.46#53 resolving dl4.pro.antivir.de/AAAA for client 127.0.0.1#52127: Name avira-update.net (SOA) not subdomain of zone antivir.de -- invalid response


So what does that mean?

Let’s have a look at which nameservers Avira are using anyway:

$ dig -t ns antivir.de

;; ANSWER SECTION:
antivir.de.        3600    IN    NS    ns13.avira-ns.net.
antivir.de.        3600    IN    NS    ns10.avira-ns.de.
antivir.de.        3600    IN    NS    ns9.avira-ns.net.
antivir.de.        3600    IN    NS    ns12.avira-ns.de.
antivir.de.        3600    IN    NS    ns14.avira-ns.de.

;; ADDITIONAL SECTION:
ns10.avira-ns.de.    86400    IN    A    80.190.154.111
ns12.avira-ns.de.    86400    IN    A    89.146.248.46
ns14.avira-ns.de.    86400    IN    A    74.208.254.45

Ok, so 89.146.248.46 in the error message quoted above is indeed one of the nameservers for domain antivir.de.

So let’s look up the IPv6 address record (AAAA) for dl4.pro.antivir.de on the given nameserver:
$ dig @89.146.248.46 -t AAAA dl4.pro.antivir.de

;; AUTHORITY SECTION:
avira-update.net. 3600 IN SOA ns1.avira-ns.net. domains.avira.com. 2015010301 10800 3600 2419200 3600


WTF?!

Why are they returning a domain name that is not a subdomain of the original domain?! That’s an error.

And it’s especially embarassing as this is the update URL for Avira’s AntiVir product. Again remember we’re talking about a security firm here!