intermittent failures and queries sent over TCP

Mark Andrews marka at isc.org
Wed Aug 19 00:55:36 UTC 2020 

Named will try TCP when the server returns TC=1 (TrunCated) in the UDP response.

If you are getting RST responses check your firewall settings.  RST is often forged
when TCP is blocked.  The root servers normally accept TCP connections.

% dig +tcp gmail.com @a.root-servers.net +dnssec

; <<>> DiG 9.15.4<<>> +tcp gmail.com @a.root-servers.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10648
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;gmail.com.			IN	A

;; AUTHORITY SECTION:
com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
com.			86400	IN	DS	30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.			86400	IN	RRSIG	DS 8 1 86400 20200831210000 20200818200000 46594 . PYeeQv/k4ZmcU9umNOIIKJFf3lyVEfd740ppq1E+hiv037ckkEsqMKiQ rELQZnazq/J4mPZHGV0oyrEpLXMIcEbwBHLLH9I06LyLxlipWWvo56A8 xmJNfbMgRefV1tM45azUETCDLUzIWTZDcAAHEszZKqeyMXNJAWb8h8Ip 6DbVBGS8g9mYyUVt2xiOafw18ZZyljBnb/mdYUOKKs5q7+b/CrbtCVip jINz6vdGAEnFNMS4K8GsL/x9usZ3jVFt9YErWFYJfBovlkUGqEQGYt2i IsvBMzeh4K43jJeaKd/4M0ZVJ6j8w61Hq9BHyi/f6FM7ANbzLSHm11y8 PENYkA==

;; ADDITIONAL SECTION:
a.gtld-servers.net.	172800	IN	A	192.5.6.30
b.gtld-servers.net.	172800	IN	A	192.33.14.30
c.gtld-servers.net.	172800	IN	A	192.26.92.30
d.gtld-servers.net.	172800	IN	A	192.31.80.30
e.gtld-servers.net.	172800	IN	A	192.12.94.30
f.gtld-servers.net.	172800	IN	A	192.35.51.30
g.gtld-servers.net.	172800	IN	A	192.42.93.30
h.gtld-servers.net.	172800	IN	A	192.54.112.30
i.gtld-servers.net.	172800	IN	A	192.43.172.30
j.gtld-servers.net.	172800	IN	A	192.48.79.30
k.gtld-servers.net.	172800	IN	A	192.52.178.30
l.gtld-servers.net.	172800	IN	A	192.41.162.30
m.gtld-servers.net.	172800	IN	A	192.55.83.30
a.gtld-servers.net.	172800	IN	AAAA	2001:503:a83e::2:30
b.gtld-servers.net.	172800	IN	AAAA	2001:503:231d::2:30
c.gtld-servers.net.	172800	IN	AAAA	2001:503:83eb::30
d.gtld-servers.net.	172800	IN	AAAA	2001:500:856e::30
e.gtld-servers.net.	172800	IN	AAAA	2001:502:1ca1::30
f.gtld-servers.net.	172800	IN	AAAA	2001:503:d414::30
g.gtld-servers.net.	172800	IN	AAAA	2001:503:eea3::30
h.gtld-servers.net.	172800	IN	AAAA	2001:502:8cc::30
i.gtld-servers.net.	172800	IN	AAAA	2001:503:39c1::30
j.gtld-servers.net.	172800	IN	AAAA	2001:502:7094::30
k.gtld-servers.net.	172800	IN	AAAA	2001:503:d2d::30
l.gtld-servers.net.	172800	IN	AAAA	2001:500:d937::30
m.gtld-servers.net.	172800	IN	AAAA	2001:501:b1f9::30

;; Query time: 327 msec
;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)
;; WHEN: Wed Aug 19 10:48:11 AEST 2020
;; MSG SIZE  rcvd: 1169

% 

Mark

> On 19 Aug 2020, at 10:34, David Newman via bind-users <bind-users at lists.isc.org> wrote:
> 
> bind 9.11.5.P4 on Debian 10
> 
> Greetings. I recently had to migrate a nameserver from FreeBSD to
> Debian. It works fine most of the time but I've noticed a few
> intermittent resolution failures.
> 
> After "gmail.com" failed to resolve I took a packet capture using
> tcpdump to listen to the result of the command "dig -t mx gmail.com" and
> here's what I found:
> 
> 1. That query over UDP, with responses over UDP pointing to Google's
> nameservers
> 
> 2. Nearly 200 attempts to reach root servers over TCP, followed
> immediately by RST messages from the root servers.
> 
> Some time later, gmail.com started resolving succesfully again, clearing
> up the issue for now.
> 
> AFAIK there's nothing in the BIND configs that would force the use of
> TCP queries. I checked the docs for various TCP options and didn't see
> any applied here. I don't know if the TCP queries are related to the
> gmail.com resolution failure but I suspect they are (and in any event
> inability to reach root servers is a problem).
> 
> This server is authoritative for several domains. It gets its zones from
> a hidden primary. The system's firewall permits inbound TCP and UDP
> traffic on port 53 and AFAIK does not block outbound UDP (the firewall
> is nftables, which is new to me, but since I see UDP queries in the
> packet capture I think it works).
> 
> What would cause the server to send queries over TCP?
> 
> Thanks in advance for troubleshooting clues.
> 
> 
> dn
> 
> 
> 
> CONFIG FILES
> 
> (named.conf is just pointers to .local and .options and .default-zones)
> 
> // named.conf.local
> 
> acl "xfer" {
> // redacted -- a list of IPv4 and IPv6 addresses I trust
> };
> 
> controls {
>        inet 127.0.0.1 port 953 allow { 127.0.0.1; };
> };
> 
> logging {
> 	channel simple_log {
> 		file "/var/log/named/named.log" versions 30 size 1m;
> 		severity info;
> 		print-time yes;
> 		print-severity yes;
> 		print-category yes;
> 	};
> 	category default { simple_log; };
> 	category update { simple_log; };
> 	category update-security { simple_log; };
> 	category security { simple_log; };
> 	category queries { simple_log; };
> 	category lame-servers { null; };
> };
> 
> zone  "example1.org" in {
>        type slave;
>        file "example1.org.bak";
>        masters { 198.18.0.53; }; // not the real address
>        allow-query { any; };
>        allow-transfer { xfer; };
> };
> 
> zone  "example2.org" in {
>        type slave;
>        file "example2.org.bak";
>        masters { 198.18.0.53; }; // not the real address
>        allow-query { any; };
>        allow-transfer { xfer; };
> };
> 
> // etc.
> 
> 
> // named.conf.options
> 
> acl "trusted" {
> 
>        // redacted -- a list of IPv4 and IPv6 addresses I trust
> };
> 
> options {
> 	directory "/var/cache/bind";
> 	pid-file        "/var/run/named/named.pid";
>        statistics-file "/var/run/named/named.stats";
>        transfer-format many-answers;
>        masterfile-format text;
>        max-transfer-time-in 60;
>        allow-query { any; };
>        allow-recursion { trusted; };
>        allow-query-cache { trusted; };
>        allow-transfer { xfer; };
>        version none;
> 
> 		disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
> 		disable-empty-zone
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
> 		disable-empty-zone
> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
> 
> 
> 	querylog yes;
> 
> 
> };
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list