[SOLVED] Re: BIND9 SERVFAIL on some .gov addresses

Shaoquan Lin lin at ccny.cuny.edu
Wed Feb 23 16:15:02 UTC 2011 

Thanks, Mark,

Last June I asked our firewall person to make sure our firewall not 
blocking DNS packets over 512 bytes.  He told me our firewall was not 
blocking.  I guess that might be some default setting of the firewall 
and he does not really know.  I did two digs here one with +dnssec and 
one without.  I got the the following:

1) with +dnssec :
; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec
;; global options: +cmd
;; connection timed out; no servers could be reached

2) without +dnssec :
; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2024
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;vwall4a.nyc.gov.               IN      A

;; AUTHORITY SECTION:
nyc.gov.                86400   IN      NS      vwall1a.nyc.gov.
nyc.gov.                86400   IN      NS      vwall2a.nyc.gov.
nyc.gov.                86400   IN      NS      vwall3a.nyc.gov.
nyc.gov.                86400   IN      NS      vwall4a.nyc.gov.

;; ADDITIONAL SECTION:
vwall1a.nyc.gov.        86400   IN      A       161.185.1.3
vwall2a.nyc.gov.        86400   IN      A       161.185.1.12
vwall3a.nyc.gov.        86400   IN      A       167.153.130.12
vwall4a.nyc.gov.        86400   IN      A       167.153.130.13

;; Query time: 31 msec
;; SERVER: 209.112.123.30#53(209.112.123.30)
;; WHEN: Wed Feb 23 11:12:48 2011
;; MSG SIZE  rcvd: 192

Does this show we do have a firewall problem here?

Shaoquan Lin

Mark Andrews wrote:
> In message <0539E64AD2B54AD2804C2394F923800B at se179>, "Shaoquan Lin" writes:
>   
>> Mark,
>>
>> Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3?  My problem is that I
>> can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from 
>> b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older BINDs like
>> 9.3.  I don't know if the problem is with the authoritative nameservers for 
>> gov or the nameservers for nyc.gov or with the BIND I am using.  I noticed 
>> the following:
>>     
>
> Just fix your firewalls to allow EDNS responses through.  While
> this is a bug in the authoritative servers / interpretation of
> RFC 1034, its only a issue because your firewall configuration
> is a decade out of date that it is a problem.
>
>   
>> 1). a.gov-servers.net  or b.gov-servers.net  does provide A records in the 
>> additional records of their responses for other subdomain under gov like 
>> treas.gov, just not nyc.gov.  So the problem seems with nameservers for 
>> nyc.gov.  The problem is relatively new and there might be some recent 
>> changes on nyc.gov.
>>     
>
> The gov servers will return glue if you let bigger answers than 512 bytes
> through your firewall.
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50028
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1472
> ;; QUESTION SECTION:
> ;vwall4a.nyc.gov.		IN	A
>
> ;; AUTHORITY SECTION:
> nyc.gov.		86400	IN	NS	vwall1a.nyc.gov.
> nyc.gov.		86400	IN	NS	vwall2a.nyc.gov.
> nyc.gov.		86400	IN	NS	vwall3a.nyc.gov.
> nyc.gov.		86400	IN	NS	vwall4a.nyc.gov.
> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8 4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS
> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400 20110227210022 20110222210022 47602 gov. ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8 JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA 1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9 CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg==
>
> ;; ADDITIONAL SECTION:
> vwall1a.nyc.gov.	86400	IN	A	161.185.1.3
> vwall2a.nyc.gov.	86400	IN	A	161.185.1.12
> vwall3a.nyc.gov.	86400	IN	A	167.153.130.12
> vwall4a.nyc.gov.	86400	IN	A	167.153.130.13
>
> ;; Query time: 187 msec
> ;; SERVER: 209.112.123.30#53(209.112.123.30)
> ;; WHEN: Wed Feb 23 11:54:06 2011
> ;; MSG SIZE  rcvd: 574
>  
>   
>> 2) Older version of Binds (like 9.3) seems able to resolve vwall4a.nyc.gov 
>> as shown the packets I captured in my previous e-mail.
>>
>> What options in named.conf I can use to set "tc"?
>>
>> Thank you.
>>
>> Shaoquan Lin
>>     

-- 
Shaoquan Lin, Computer Systems Manager
School of Engineering, City College of New York
Phone: (212) 650 6762	Fax:   (212) 650 5768	
E-mail: lin at ccny.cuny.edu

More information about the bind-users mailing list