SERVFAIL for some domains on some servers

Mark Andrews marka at isc.org
Tue Mar 2 22:13:58 UTC 2010 

In message <4B8CE12B.4010506 at imag.fr>, Oliver Henriot writes:
> but nothing shows up when carrying out the failed request. I even tried=20
> debug level and it gave nothing when I did :
> 
> dig www.labanquepostale.fr @129.88.30.10
> 
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>>=20
> www.labanquepostale.fr @129.88.30.10
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35429
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;www.labanquepostale.fr.                IN      A
> 
> ;; Query time: 1513 msec
> ;; SERVER: 129.88.30.10#53(129.88.30.10)
> ;; WHEN: Tue Mar  2 10:51:46 2010
> ;; MSG SIZE  rcvd: 40
> 
> 
> Thanks for your help (et pour votre travail sur le DNS en g=E9n=E9ral).
> 
> Best regards,
> 
> Oliver

Having the actual domain that is failing is a great help in isolating
the problem.

My bet is that you have the query source port fixed to 53 in your
nameserver (which is a bad idea for a number of reasons) and the
administrators of www.labanquepostale.fr have stupid firewall
settings which blocks packets *from* port 53.  Both ends are
misconfigured.

[postmaster at labanquepostale.fr]
When you are running a service you shouldn't care what port the request
comes from.  For DNS in particular there are still lots of nameservers
configured to send traffic from port 53 as it only required 1 entry
in stateless firewall configuration.

A tcpdump with the source port forced to 53.  Note there is no reply traffic.

08:54:18.517985 211.30.172.21.53 > 83.206.67.133.53:  40497 [1au] A? www.labanquepostale.fr. ar: OPT UDPsize=2048,DO=1 (51)
08:54:23.531571 211.30.172.21.53 > 83.206.67.133.53:  40497 [1au] A? www.labanquepostale.fr. ar: OPT UDPsize=2048,DO=1 (51)
08:54:28.556952 211.30.172.21.53 > 83.206.67.133.53:  40497 [1au] A? www.labanquepostale.fr. ar: OPT UDPsize=2048,DO=1 (51)

A tcpdump with letting the OS choose the source port (60883).  Note there
is reply traffic.

08:57:00.931448 211.30.172.21.60883 > 83.206.67.133.53:  36854 [1au] A? www.labanquepostale.fr. ar: OPT UDPsize=2048,DO=1 (51)
08:57:01.261648 83.206.67.133.53 > 211.30.172.21.60883:  36854*- 1/2/3 A[|domain]

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list