[External] : Re: NS query on bind9

Sonal Pahuja sonal.s.pahuja at oracle.com
Tue Sep 14 06:55:02 UTC 2021 

Hi Petr/Onřej,

Thanks for the response.

We have configured a forward zone in bind9  for e164.arpa, and we have our application to resolve e164 domain queries (NS, NAPTR, CNAME queries).


options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named.stats";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
       allow-query     { localhost; !blocked; allowed; };
        //allow-query     { any; };
        recursion yes;
        zone-statistics            yes;
        dnssec-enable yes;
        dnssec-validation no;

        // additional-from-auth no;
         // additional-from-cache no;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";


};

zone "e164.arpa" IN {
type forward ;
forwarders { 127.0.0.1 port 49153; };
forward only;
};

Our application is giving/sending NS domain as “ns.abc1.com” in the response.
Please find attached the complete pcap. From bind9 we are getting server fail error only for NS query.

dig -t ns 4.0.4.5.2.4.1.4.2.0.2.4.e164.arpa @localhost

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.0.2.el6_10.8 <<>> -t ns 4.0.4.5.2.4.1.4.2.0.2.4.e164.arpa @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64805
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;4.0.4.5.2.4.1.4.2.0.2.4.e164.arpa. IN  NS

;; Query time: 9 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Sep 14 02:44:51 2021
;; MSG SIZE  rcvd: 51

Getting below output on bind9 logs (named.run):-
managed-keys-zone ./IN: Unable to fetch DNSKEY set '.': timed out
error (FORMERR) resolving '4.0.4.5.2.4.1.4.2.0.2.4.e164.arpa/NS/IN': 127.0.0.1#49153
error (host unreachable) resolving '4.0.4.5.2.4.1.4.2.0.2.4.e164.arpa/NS/IN': 139.165.24.21#49153

Kindly share your inputs.

Regards,
Sonal

From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Petr Menšík
Sent: Monday, September 13, 2021 5:58 PM
To: bind-users at lists.isc.org
Subject: [External] : Re: NS query on bind9


Hello Sonal,

are those queries done on internal network only? If global public DNS root is used, how did bind9 found it should contact your server? Is it configured via forward zone?

Public zone uses DNSSEC and bind9 does validate by default. I think your problem is too short authority zone of SOA record used.

delv ns e164.arpa
; fully validated
e164.arpa.        43200    IN    NS    ns4.apnic.net.
e164.arpa.        43200    IN    NS    ns3.afrinic.net.
e164.arpa.        43200    IN    NS    ns3.lacnic.net.
e164.arpa.        43200    IN    NS    rirns.arin.net.
e164.arpa.        43200    IN    NS    pri.authdns.ripe.net.
e164.arpa.        43200    IN    RRSIG    NS 13 2 172800 20210921103016 20210907090016 28754 e164.arpa. hYukapDuiBGjbjWlmWLOqkjX4zsGkkF88BshSPiXZrC3/6mSmCGEOJDv xdUstlg/CIdXrYIh4mYL1Tr2cAG2oQ==

Any validating server would refuse your response, because ns.abc1.com is clearly not authoritative for in e164.arpa. But result would be SERVFAIL, not FORMERR. I can only guess, because we know nothing about queries. Nor error logged by bind9. We have seen only image of wireshark instead of pcap file itself, containing both queries and responses. Please include at least some of these if you seek our help.

In general, I would recommend following Onřej's advice and choose any existing implementations with a compatible license and extending it if required. There are many details to make correct.

Best Regards,

Petr
On 9/13/21 10:09 AM, Sonal Pahuja wrote:

Hello All,

Currently we are facing below issue:-

We have built a response for NS query and sending it to bind9. But however bind9 is rejecting and getting server fail error.
NAPTR and CNAME queries are working fine.

Wireshark of response built by our application:
[cid:image002.jpg at 01D7A95F.AA9137F0]


Above messages is getting received by bind9, bind 9 is rejecting it and sending server fail message to sender

In named.run getting below output:-

error (FORMERR) resolving

[cid:image004.jpg at 01D7A95F.AA9137F0]
Kindly let us know what can be issue here.

Regards



_______________________________________________

Please visit https://lists.isc.org/mailman/listinfo/bind-users<https://urldefense.com/v3/__https:/lists.isc.org/mailman/listinfo/bind-users__;!!ACWV5N9M2RV99hQ!eE9fr2hvBxJWCKULMtgAQD05mokFmqlbmQU19Q6nDkmTEhPTtnyRAKLQyeP60_0fMAY$> to unsubscribe from this list



ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/<https://urldefense.com/v3/__https:/www.isc.org/contact/__;!!ACWV5N9M2RV99hQ!eE9fr2hvBxJWCKULMtgAQD05mokFmqlbmQU19Q6nDkmTEhPTtnyRAKLQyeP6NGigWDE$> for more information.





bind-users mailing list

bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>

https://lists.isc.org/mailman/listinfo/bind-users<https://urldefense.com/v3/__https:/lists.isc.org/mailman/listinfo/bind-users__;!!ACWV5N9M2RV99hQ!eE9fr2hvBxJWCKULMtgAQD05mokFmqlbmQU19Q6nDkmTEhPTtnyRAKLQyeP60_0fMAY$>

--

Petr Menšík

Software Engineer

Red Hat, http://www.redhat.com/<https://urldefense.com/v3/__http:/www.redhat.com/__;!!ACWV5N9M2RV99hQ!eE9fr2hvBxJWCKULMtgAQD05mokFmqlbmQU19Q6nDkmTEhPTtnyRAKLQyeP6f7v6xxU$>

email: pemensik at redhat.com<mailto:pemensik at redhat.com>

PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210914/fb87ddc8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 51623 bytes
Desc: image002.jpg
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210914/fb87ddc8/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 40831 bytes
Desc: image004.jpg
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210914/fb87ddc8/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NS_query_inout.pcap
Type: application/octet-stream
Size: 805 bytes
Desc: NS_query_inout.pcap
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210914/fb87ddc8/attachment-0001.obj>

More information about the bind-users mailing list