[External] : Re: NS query on bind9
Sonal Pahuja
sonal.s.pahuja at oracle.com
Tue Sep 14 06:55:02 UTC 2021
Hi Petr/Onřej,
Thanks for the response.
We have configured a forward zone in bind9 for e164.arpa, and we have our application to resolve e164 domain queries (NS, NAPTR, CNAME queries).
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named.stats";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; !blocked; allowed; };
//allow-query { any; };
recursion yes;
zone-statistics yes;
dnssec-enable yes;
dnssec-validation no;
// additional-from-auth no;
// additional-from-cache no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
zone "e164.arpa" IN {
type forward ;
forwarders { 127.0.0.1 port 49153; };
forward only;
};
Our application is giving/sending NS domain as “ns.abc1.com” in the response.
Please find attached the complete pcap. From bind9 we are getting server fail error only for NS query.
dig -t ns 4.0.4.5.2.4.1.4.2.0.2.4.e164.arpa @localhost
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.0.2.el6_10.8 <<>> -t ns 4.0.4.5.2.4.1.4.2.0.2.4.e164.arpa @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64805
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;4.0.4.5.2.4.1.4.2.0.2.4.e164.arpa. IN NS
;; Query time: 9 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Sep 14 02:44:51 2021
;; MSG SIZE rcvd: 51
Getting below output on bind9 logs (named.run):-
managed-keys-zone ./IN: Unable to fetch DNSKEY set '.': timed out
error (FORMERR) resolving '4.0.4.5.2.4.1.4.2.0.2.4.e164.arpa/NS/IN': 127.0.0.1#49153
error (host unreachable) resolving '4.0.4.5.2.4.1.4.2.0.2.4.e164.arpa/NS/IN': 139.165.24.21#49153
Kindly share your inputs.
Regards,
Sonal
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Petr Menšík
Sent: Monday, September 13, 2021 5:58 PM
To: bind-users at lists.isc.org
Subject: [External] : Re: NS query on bind9
Hello Sonal,
are those queries done on internal network only? If global public DNS root is used, how did bind9 found it should contact your server? Is it configured via forward zone?
Public zone uses DNSSEC and bind9 does validate by default. I think your problem is too short authority zone of SOA record used.
delv ns e164.arpa
; fully validated
e164.arpa. 43200 IN NS ns4.apnic.net.
e164.arpa. 43200 IN NS ns3.afrinic.net.
e164.arpa. 43200 IN NS ns3.lacnic.net.
e164.arpa. 43200 IN NS rirns.arin.net.
e164.arpa. 43200 IN NS pri.authdns.ripe.net.
e164.arpa. 43200 IN RRSIG NS 13 2 172800 20210921103016 20210907090016 28754 e164.arpa. hYukapDuiBGjbjWlmWLOqkjX4zsGkkF88BshSPiXZrC3/6mSmCGEOJDv xdUstlg/CIdXrYIh4mYL1Tr2cAG2oQ==
Any validating server would refuse your response, because ns.abc1.com is clearly not authoritative for in e164.arpa. But result would be SERVFAIL, not FORMERR. I can only guess, because we know nothing about queries. Nor error logged by bind9. We have seen only image of wireshark instead of pcap file itself, containing both queries and responses. Please include at least some of these if you seek our help.
In general, I would recommend following Onřej's advice and choose any existing implementations with a compatible license and extending it if required. There are many details to make correct.
Best Regards,
Petr
On 9/13/21 10:09 AM, Sonal Pahuja wrote:
Hello All,
Currently we are facing below issue:-
We have built a response for NS query and sending it to bind9. But however bind9 is rejecting and getting server fail error.
NAPTR and CNAME queries are working fine.
Wireshark of response built by our application:
[cid:image002.jpg at 01D7A95F.AA9137F0]
Above messages is getting received by bind9, bind 9 is rejecting it and sending server fail message to sender
In named.run getting below output:-
error (FORMERR) resolving
[cid:image004.jpg at 01D7A95F.AA9137F0]
Kindly let us know what can be issue here.
Regards
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users<https://urldefense.com/v3/__https:/lists.isc.org/mailman/listinfo/bind-users__;!!ACWV5N9M2RV99hQ!eE9fr2hvBxJWCKULMtgAQD05mokFmqlbmQU19Q6nDkmTEhPTtnyRAKLQyeP60_0fMAY$> to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/<https://urldefense.com/v3/__https:/www.isc.org/contact/__;!!ACWV5N9M2RV99hQ!eE9fr2hvBxJWCKULMtgAQD05mokFmqlbmQU19Q6nDkmTEhPTtnyRAKLQyeP6NGigWDE$> for more information.
bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users<https://urldefense.com/v3/__https:/lists.isc.org/mailman/listinfo/bind-users__;!!ACWV5N9M2RV99hQ!eE9fr2hvBxJWCKULMtgAQD05mokFmqlbmQU19Q6nDkmTEhPTtnyRAKLQyeP60_0fMAY$>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/<https://urldefense.com/v3/__http:/www.redhat.com/__;!!ACWV5N9M2RV99hQ!eE9fr2hvBxJWCKULMtgAQD05mokFmqlbmQU19Q6nDkmTEhPTtnyRAKLQyeP6f7v6xxU$>
email: pemensik at redhat.com<mailto:pemensik at redhat.com>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210914/fb87ddc8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 51623 bytes
Desc: image002.jpg
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210914/fb87ddc8/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 40831 bytes
Desc: image004.jpg
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210914/fb87ddc8/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NS_query_inout.pcap
Type: application/octet-stream
Size: 805 bytes
Desc: NS_query_inout.pcap
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210914/fb87ddc8/attachment-0001.obj>
More information about the bind-users
mailing list