Problems with EDNS0
Mark Andrews
marka at isc.org
Wed Jul 22 01:30:24 UTC 2009
In message <4A661D77.9050600 at serpro.gov.br>, Breno Silveira Soares writes:
> This is a multi-part message in MIME format.
> Mark Andrews escreveu:
> > You think there isn't a firewall. There is something in the path
> > that is blocking responses. When you find it can you please inform
> > the manufacture that there produce is broken and you would like it
> > fixed. FORMERR is part of the base DNS specification and shouldn't
> > be filtered.
> >
> What I don't understand is: the FORMERR response is a normal UDP packet, ok?
> What could filter this packet?
>
> >> Queries to Akamai servers doesn't work with EDNS. To resolve this
> >> problem I configure bind with directive "server <IP> { edns no; };", but
> >> isn't a good solution.
> >> From my server, some queries with EDNS works and some doesn't.
> >>
> >
> > The Akamai do respond to EDNS queries.
> > Here is what you should be seeing. It looks like something is
> > filtering out the FORMERR responses. Almost all of the above log
> > messages are for zones where FORMERR is returned. Responses from
> > EDNS aware servers are getting back.
> >
> > B.T.W. you should use 512 not as the buffer size 500.
> >
> > drugs:dnssec 13:10 {1669} % dig @n0g.akamai.net a961.g.akamai.net +bufsize=
> 512
> >
> > ; <<>> DiG 9.3.6-P1 <<>> @n0g.akamai.net a961.g.akamai.net +bufsize=512
> > ; (1 server found)
> > ;; global options: printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 52294
> > ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> >
> > ;; Query time: 11 msec
> > ;; SERVER: 60.254.186.21#53(60.254.186.21)
> > ;; WHEN: Tue Jul 21 13:10:50 2009
> > ;; MSG SIZE rcvd: 12
> >
> > drugs:dnssec 13:10 {1670} %
> >
> > Mark
> My server gets responses with EDNS from some NS in Internet, with UDP
> packet > 512 bytes,
> e.g: "dig @a.dns.br br dnskey +dnssec +bufsize=2500"
> So it's not firewall problem, Am I correct ?
No. A firewall can filter on all sorts of things.
I've seen firewall block queries on CD being set but allow
through EDNS responses that are fragmented with CD being
clear.
i.e.
"dig +bufsize=4096 example.net" succeeded.
"dig +cd example.net" failed.
You just have an unusual firewall issue. FORMERR responses
are being blocked.
> From my server, dig to Akamai with EDNS (+bufsize=512) doesn't get
> FORMERR message, dig return "connection timed out; no servers could be
> reached".
> What could be the reason ?
You have a device in the path that is filtering out the
FORMERR responses. Such devices are usually labeled
"firewall" but could be something else like a NAT with a
bad DNS ALG.
Mark
> Thanks for your reply.
>
> --
> Ats,
> Breno S. Soares
> Analista de Redes
> SERPRO/SUPRE/REBHE
> Tel: (31) 3311-6825
>
>
>
> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa
> pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusiv
> amente a seu destinatário e pode conter informações confidenciais, protegidas po
> r sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrato
> r às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reen
> viá-la ao emitente, esclarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a gov
> ernment company established under Brazilian law (5.615/70) -- is directed exc
> lusively to its addressee and may contain confidential data, protected under
> professional secrecy rules. Its unauthorized use is illegal and may subject t
> he transgressor to the law's penalties. If you're not the addressee, please s
> end it back, elucidating the failure."
>
> --------------000705070102040209010704
> Content-Type: text/html;
> charset="ISO-8859-1"
> Content-Transfer-Encoding: 7bit
>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
> </head>
> <body bgcolor="#ffffff" text="#000099">
> Mark Andrews escreveu:
> <blockquote cite="mid:200907210326.n6L3QFeF068609 at drugs.dv.isc.org"
> type="cite">
> <pre wrap="">
> You think there isn't a firewall. There is something in the path
> that is blocking responses. When you find it can you please inform
> the manufacture that there produce is broken and you would like it
> fixed. FORMERR is part of the base DNS specification and shouldn't
> be filtered.
> </pre>
> </blockquote>
> <small>What I don't understand is: the FORMERR response is a normal UDP
> packet, ok?<br>
> What could filter this packet?<br>
> <br>
> </small>
> <blockquote cite="mid:200907210326.n6L3QFeF068609 at drugs.dv.isc.org"
> type="cite">
> <pre wrap=""></pre>
> <blockquote type="cite">
> <pre wrap="">Queries to Akamai servers doesn't work with EDNS. To resolve
> this
> problem I configure bind with directive "server <IP> { edns no; };", bu
> t
> isn't a good solution.
> >From my server, some queries with EDNS works and some doesn't.
> </pre>
> </blockquote>
> <pre wrap=""><!---->
> The Akamai do respond to EDNS queries.</pre>
> </blockquote>
> <small></small>
> <blockquote cite="mid:200907210326.n6L3QFeF068609 at drugs.dv.isc.org"
> type="cite">
> <pre wrap="">
> Here is what you should be seeing. It looks like something is
> filtering out the FORMERR responses. Almost all of the above log
> messages are for zones where FORMERR is returned. Responses from
> EDNS aware servers are getting back.
>
> B.T.W. you should use 512 not as the buffer size 500.
>
> drugs:dnssec 13:10 {1669} % dig @n0g.akamai.net a961.g.akamai.net +bufsize=51
> 2
>
> ; <<>> DiG 9.3.6-P1 <<>> @n0g.akamai.net a961.g.akama
> i.net +bufsize=512
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 52294
> ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; Query time: 11 msec
> ;; SERVER: 60.254.186.21#53(60.254.186.21)
> ;; WHEN: Tue Jul 21 13:10:50 2009
> ;; MSG SIZE rcvd: 12
>
> drugs:dnssec 13:10 {1670} %
>
> Mark</pre>
> </blockquote>
> <small>My server gets responses with EDNS from some NS in Internet,
> with UDP packet > 512 bytes,<br>
> e.g: "dig @a.dns.br br dnskey +dnssec +bufsize=2500"<br>
> So it's not firewall problem, Am I correct ?<br>
> <br>
> >From my server, dig to Akamai with EDNS (+bufsize=512) doesn't get
> FORMERR message, dig return "connection timed out; no servers could be
> reached". <br>
> What could be the reason ?<br>
> <br>
> Thanks for your reply.<br>
> </small><br>
> <pre class="moz-signature" cols="80">--
> Ats,
> Breno S. Soares
> Analista de Redes
> SERPRO/SUPRE/REBHE
> Tel: (31) 3311-6825
>
> </pre>
> </body>
> </html>
>
> <table><tr><td bgcolor=#ffffff><font color=#000000><pre>"Esta mensagem do SER
> VIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida
> pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatá
> rio e pode conter informações confidenciais, protegidas por sigilo profissional
> . Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se
> você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, es
> clarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a gov
> ernment company established under Brazilian law (5.615/70) -- is directed exc
> lusively to its addressee and may contain confidential data, protected under
> professional secrecy rules. Its unauthorized use is illegal and may subject t
> he transgressor to the law's penalties. If you're not the addressee, please s
> end it back, elucidating the failure."</pre></font></td></tr></table>
>
> --------------000705070102040209010704--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list