mistake or bug or error or user malfunction
Mark Andrews
marka at isc.org
Fri May 3 01:16:10 UTC 2013
Someone has installed a ordinary recursive server as a transparent
DNS caching server and is intercepting your queries. This does not
work.
At a minimum a "transparent" DNS caching server needs to force
recursion. It also need to fake AA=1 in the responses. It also
needs to pass through TSIG signed queries. It also need to pass
through SOA/AXFR/IXFR requests.
You should be able to work around the issue by forwarding all your
queries. That way "rd=1" will be set on them and you won't be
expecting "aa=1" responses.
e.g.
forward only;
forwarders { 8.8.8.8; };
Mark
In message <CAFrZoh1=6dEFARG5xLhuMWBQF1E+YQDm5WRUGtpbEZU3UfTo5A at mail.gmail.com>, Dorn Hetzel writes:
>
> I just finished installing bind 9.9.2-P2 on a windows 7 box to act as a
> local resolved for my 192.168.7 lan and to cache queries so they don't all
> have to go out over my satellite link...
>
> I think it seems likely that I have done something wrong, but I'm not sure
> what...
>
> named.conf looks like:
>
> options {
> directory "c:\named\zones";
> allow-transfer { none; };
> recursion yes;
> allow-recursion { any; };
> allow-query { any; };
> allow-query-cache { any; };
> };
>
> logging {
> channel my_log {
> file "c:\named\named.log" versions 64 size 64k;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> category default {
> my_log;
> };
> };
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret "yahyahyahyahsaoddfhjsdoafhsdfnotreally";
> };
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "0.0.127.in-addr.arpa.txt";
> };
>
> zone "7.168.192.in-addr.arpa" {
> type master;
> file "7.168.192.in-addr.arpa.txt";
> };
>
> but I get lots and lots of the following and resolution is quite slow and
> times out repeatedly from clients and then finally resolves, then times out
> again...
>
> Any thoughts (or bricks to the head if what I am doing is especially
> stupid?)
>
> -dorn
>
> .C:\NAMED>more named.log
> 02-May-2013 20:17:14.424 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 192.36.148.17#53
> 02-May-2013 20:17:14.431 resolver: notice: DNS format error from
> 202.12.27.33#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:14.431 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 202.12.27.33#53
> 02-May-2013 20:17:14.434 resolver: notice: DNS format error from
> 192.5.5.241#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:14.434 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 192.5.5.241#53
> 02-May-2013 20:17:14.437 resolver: notice: DNS format error from
> 128.8.10.90#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:14.437 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 128.8.10.90#53
> 02-May-2013 20:17:14.440 resolver: notice: DNS format error from
> 192.203.230.10#53 resolving ./NS: non-improving referra
> l
> 02-May-2013 20:17:14.440 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 192.203.230.10#53
> 02-May-2013 20:17:14.443 resolver: notice: DNS format error from
> 192.58.128.30#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:14.443 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 192.58.128.30#53
> 02-May-2013 20:17:14.446 resolver: notice: DNS format error from
> 193.0.14.129#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:14.446 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 193.0.14.129#53
> 02-May-2013 20:17:14.449 resolver: notice: DNS format error from
> 198.41.0.4#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:14.449 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 198.41.0.4#53
> 02-May-2013 20:17:14.451 resolver: notice: DNS format error from
> 128.63.2.53#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:14.452 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 128.63.2.53#53
> 02-May-2013 20:17:14.454 resolver: notice: DNS format error from
> 192.112.36.4#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:14.454 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 192.112.36.4#53
> 02-May-2013 20:17:14.457 resolver: notice: DNS format error from
> 192.33.4.12#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:14.457 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 192.33.4.12#53
> 02-May-2013 20:17:14.460 resolver: notice: DNS format error from
> 199.7.83.42#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:14.460 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 199.7.83.42#53
> 02-May-2013 20:17:14.463 resolver: notice: DNS format error from
> 192.228.79.201#53 resolving ./NS: non-improving referra
> l
> 02-May-2013 20:17:14.463 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 192.228.79.201#53
> 02-May-2013 20:17:30.110 resolver: notice: DNS format error from
> 202.12.27.33#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:30.110 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 202.12.27.33#53
> 02-May-2013 20:17:30.112 resolver: notice: DNS format error from
> 192.58.128.30#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:30.113 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 192.58.128.30#53
> 02-May-2013 20:17:30.115 resolver: notice: DNS format error from
> 192.203.230.10#53 resolving ./NS: non-improving referra
> l
> 02-May-2013 20:17:30.115 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 192.203.230.10#53
> 02-May-2013 20:17:30.118 resolver: notice: DNS format error from
> 128.8.10.90#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:30.119 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 128.8.10.90#53
> 02-May-2013 20:17:30.122 resolver: notice: DNS format error from
> 198.41.0.4#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:30.123 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 198.41.0.4#53
> 02-May-2013 20:17:30.125 resolver: notice: DNS format error from
> 193.0.14.129#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:30.125 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 193.0.14.129#53
> 02-May-2013 20:17:30.128 resolver: notice: DNS format error from
> 128.63.2.53#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:30.128 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 128.63.2.53#53
> 02-May-2013 20:17:30.131 resolver: notice: DNS format error from
> 192.33.4.12#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:30.131 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 192.33.4.12#53
> 02-May-2013 20:17:30.134 resolver: notice: DNS format error from
> 199.7.83.42#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:30.134 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 199.7.83.42#53
> 02-May-2013 20:17:30.137 resolver: notice: DNS format error from
> 192.5.5.241#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:30.137 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 192.5.5.241#53
> 02-May-2013 20:17:30.139 resolver: notice: DNS format error from
> 192.36.148.17#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:30.140 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 192.36.148.17#53
> 02-May-2013 20:17:30.142 resolver: notice: DNS format error from
> 192.228.79.201#53 resolving ./NS: non-improving referra
> l
> 02-May-2013 20:17:30.142 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 192.228.79.201#53
> 02-May-2013 20:17:30.145 resolver: notice: DNS format error from
> 192.112.36.4#53 resolving ./NS: non-improving referral
> 02-May-2013 20:17:30.145 lame-servers: info: error (FORMERR) resolving
> './NS/IN': 192.112.36.4#53
>
> C:\NAMED >
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list