Two DNS Servers inside a firewall
Mark Andrews
Mark_Andrews at isc.org
Fri Sep 5 02:02:23 UTC 2008
> FORMERR is strange. Generally speaking, you should not be seeing FORMERR
> in queries between 2 different BIND instances.
>
> It's looking increasingly to me like a bad NAT/PAT device, mangling your
> packets. Maybe it doesn't understand EDNS0 (?) My next step would
> probably be to run a packet trace/capture, although, on the off-chance
> that it's EDNS0-related, you might try turning that off and see if it
> makes a difference.
>
>
> - Kevin
Named logs FORMERR when it receives a unexpected SOA record
on a response.
If you delegate to foo.example.net and the nameserver has
their own copy of example.net rather than foo.example.net
you will get a unexpected SOA records in the negative
response.
Below is a example of such a bad delegation. The last SOA
record should be owned by www.lawlink.nsw.gov.au not
lawlink.nsw.gov.au. It results in SERVFAIL being returned.
Mark
; <<>> DiG 9.3.4-P1 <<>> aaaa www.lawlink.nsw.gov.au
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56606
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.lawlink.nsw.gov.au. IN AAAA
;; Query time: 63 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 5 12:01:30 2008
;; MSG SIZE rcvd: 40
; <<>> DiG 9.3.4-P1 <<>> www.lawlink.nsw.gov.au aaaa +trace
;; global options: printcmd
. 440024 IN NS h.root-servers.net.
. 440024 IN NS d.root-servers.net.
. 440024 IN NS g.root-servers.net.
. 440024 IN NS i.root-servers.net.
. 440024 IN NS b.root-servers.net.
. 440024 IN NS l.root-servers.net.
. 440024 IN NS m.root-servers.net.
. 440024 IN NS e.root-servers.net.
. 440024 IN NS f.root-servers.net.
. 440024 IN NS a.root-servers.net.
. 440024 IN NS j.root-servers.net.
. 440024 IN NS c.root-servers.net.
. 440024 IN NS k.root-servers.net.
;; Received 504 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms
au. 172800 IN NS ns1.audns.net.au.
au. 172800 IN NS dns1.telstra.net.
au. 172800 IN NS sec1.apnic.net.
au. 172800 IN NS sec3.apnic.net.
au. 172800 IN NS adns1.berkeley.edu.
au. 172800 IN NS adns2.berkeley.edu.
au. 172800 IN NS audns.optus.net.
au. 172800 IN NS aunic.aunic.net.
;; Received 430 bytes from 2001:500:1::803f:235#53(h.root-servers.net) in 244 ms
lawlink.nsw.gov.au. 3600 IN NS ns3.uecomm.net.au.
lawlink.nsw.gov.au. 3600 IN NS ns1.uecomm.net.au.
lawlink.nsw.gov.au. 3600 IN NS ns2.uecomm.net.au.
;; Received 105 bytes from 58.65.255.73#53(ns1.audns.net.au) in 42 ms
www.lawlink.nsw.gov.au. 3600 IN NS ns1.lawlink.nsw.gov.au.
www.lawlink.nsw.gov.au. 3600 IN NS ns2.lawlink.nsw.gov.au.
;; Received 108 bytes from 203.94.128.54#53(ns1.uecomm.net.au) in 39 ms
lawlink.nsw.gov.au. 86400 IN SOA lawlink.nsw.gov.au. administrator.lawlink.nsw.gov.au. 998545544 28800 7200 604800 86400
;; Received 144 bytes from 203.3.186.53#53(ns1.lawlink.nsw.gov.au) in 32 ms
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list