Another server that doesn't like edns
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Mon Jul 8 02:37:33 UTC 2002
> I figured I'd mention this here because last time this topic came
> up, Mark was able to use the data to improve bind 8's edns stuff. I saw
> lots of "refused query on non-query socket" errors from one IP after
> upgrading to bind 8.3.3 on my resolvers. I know from reading here is often
> a symptom of edns problems. The IP is 207.14.100.134, which it turns out
> is being used as the IP of two different name servers:
>
> dig @207.14.100.134 -x 207.14.100.134 ptr
>
> ; <<>> DiG 8.3 <<>> @207.14.100.134 -x ptr
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> ;; QUERY SECTION:
> ;; 134.100.14.207.in-addr.arpa, type = PTR, class = IN
>
> ;; ANSWER SECTION:
> 134.100.14.207.in-addr.arpa. 1D IN A 207.14.100.134
>
> ;; AUTHORITY SECTION:
> 134.100.14.207.in-addr.arpa. 1D IN NS NS1.INTERIMNAMESERVER.COM.
> 134.100.14.207.in-addr.arpa. 1D IN NS NS2.INTERIMNAMESERVER.COM.
>
> ;; ADDITIONAL SECTION:
> NS1.INTERIMNAMESERVER.COM. 1D IN A 207.14.100.134
> NS2.INTERIMNAMESERVER.COM. 1D IN A 207.14.100.134
You need to make dig use EDNS. Looks like it just sends the
query back to you.
dig @207.14.100.134 -x 207.14.100.134 ptr +dnssec
; <<>> DiG 8.3 <<>> @207.14.100.134 -x ptr +dnssec
; (1 server found)
;; res options: init recurs defnam dnsrch dnssec
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3339
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUERY SECTION:
;; 134.100.14.207.in-addr.arpa, type = PTR, class = IN
;; ADDITIONAL SECTION:
; EDNS: version: 0, udp=4096, flags=8000
;; Total query time: 234 msec
;; FROM: drugs.dv.isc.org to SERVER: 207.14.100.134 207.14.100.134
;; WHEN: Mon Jul 8 12:20:34 2002
;; MSG SIZE sent: 56 rcvd: 56
Also look at this garbage response to a SOA query.
; <<>> DiG 8.3 <<>> soa INTERIMNAMESERVER.COM @207.14.100.134
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;; INTERIMNAMESERVER.COM, type = SOA, class = IN
;; ANSWER SECTION:
INTERIMNAMESERVER.COM. 1D IN A 207.14.100.134
;; AUTHORITY SECTION:
INTERIMNAMESERVER.COM. 1D IN NS NS1.INTERIMNAMESERVER.COM.
INTERIMNAMESERVER.COM. 1D IN NS NS2.INTERIMNAMESERVER.COM.
;; ADDITIONAL SECTION:
NS1.INTERIMNAMESERVER.COM. 1D IN A 207.14.100.134
NS2.INTERIMNAMESERVER.COM. 1D IN A 207.14.100.134
;; Total query time: 287 msec
;; FROM: drugs.dv.isc.org to SERVER: 207.14.100.134
;; WHEN: Mon Jul 8 12:28:34 2002
;; MSG SIZE sent: 39 rcvd: 165
Mark
> Those name servers are authoritative for a lot of zones that my users want
> to visit, so I was getting a lot of errors. Interstingly enough, the qr
> flag is set on the response when I use dig. In the past, the edns problems
> I read about were related to the lack of that flag. I haven't done any
> tcpdumping of the traffic to and from my resolvers though... sorry. I do
> know that when I put
>
> server 207.14.100.134 { edns no; };
>
> in my configs, the problem goes away, and users are able to surf to those
> domains.
>
> HTH,
>
> Doug
> --
> "We have known freedom's price. We have shown freedom's power.
> And in this great conflict, ... we will see freedom's victory."
> - George W. Bush, President of the United States
> State of the Union, January 28, 2002
>
> Do YOU Yahoo!?
>
>
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list