Problem resolving domain

Mark Andrews marka at isc.org
Mon Jan 27 22:08:35 UTC 2020 

Both servers are broken. One fails to implement DNS COOKIE (RFC 7873) correctly.  Note that the "Client COOKIE mismatch" is reported.  Named rejects the response because the client cookie does not match that sent to the server. The response looks like someone trying to spoof the response.  The other is lame (doesn’t serve the zone).

What should happen here is that the vendor of the nameserver running on ns1.bitworks.net should fix their server and issue a advisory that their server is broken and does not interoperate with servers sending DNS COOKIES to all their customers.  This will require BITWORKS.NET reporting the fault to their vendor.

In the meantime you can stop named sending DNS COOKIE options to the server with:

server 213.188.101.9 { send-cookie false; };

Mark

% dig dqb.info @ns1.bitworks.net +qr

; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> dqb.info @ns1.bitworks.net +qr
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53280
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 14e8a45ea8077fb5
;; QUESTION SECTION:
;dqb.info.			IN	A

;; QUERY SIZE: 49

;; Warning: Client COOKIE mismatch
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53280
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ec01cc010200000001000000000000000000000000000000 (bad)
;; QUESTION SECTION:
;dqb.info.			IN	A

;; ANSWER SECTION:
dqb.info.		86400	IN	A	178.250.160.91

;; AUTHORITY SECTION:
dqb.info.		86400	IN	NS	ns4.tmag.de.
dqb.info.		86400	IN	NS	ns1.bitworks.net.

;; ADDITIONAL SECTION:
ns1.bitworks.net.	300	IN	A	213.188.101.9

;; Query time: 378 msec
;; SERVER: 213.188.101.9#53(213.188.101.9)
;; WHEN: Tue Jan 28 08:52:13 AEDT 2020
;; MSG SIZE  rcvd: 152

%

% dig dqb.info @ns4.tmag.de

; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> dqb.info @ns4.tmag.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47126
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dqb.info.			IN	A

;; AUTHORITY SECTION:
info.			18657	IN	NS	a0.info.afilias-nst.info.
info.			18657	IN	NS	a2.info.afilias-nst.info.
info.			18657	IN	NS	b0.info.afilias-nst.org.
info.			18657	IN	NS	b2.info.afilias-nst.org.
info.			18657	IN	NS	c0.info.afilias-nst.info.
info.			18657	IN	NS	d0.info.afilias-nst.org.

;; ADDITIONAL SECTION:
a0.info.afilias-nst.info. 105080 IN	AAAA	2001:500:19::1
a0.info.afilias-nst.info. 18680	IN	A	199.254.31.1
a2.info.afilias-nst.info. 105080 IN	AAAA	2001:500:41::1
a2.info.afilias-nst.info. 18680	IN	A	199.249.113.1
b0.info.afilias-nst.org. 105080	IN	A	199.254.48.1
b0.info.afilias-nst.org. 105080	IN	AAAA	2001:500:1a::1
b2.info.afilias-nst.org. 105080	IN	A	199.249.121.1
b2.info.afilias-nst.org. 105080	IN	AAAA	2001:500:49::1
c0.info.afilias-nst.info. 105080 IN	AAAA	2001:500:1b::1
c0.info.afilias-nst.info. 18680	IN	A	199.254.49.1
d0.info.afilias-nst.org. 105080	IN	A	199.254.50.1
d0.info.afilias-nst.org. 105080	IN	AAAA	2001:500:1c::1

;; Query time: 322 msec
;; SERVER: 193.254.185.231#53(193.254.185.231)
;; WHEN: Tue Jan 28 08:47:20 AEDT 2020
;; MSG SIZE  rcvd: 440

%

> On 28 Jan 2020, at 07:51, Stephan von Krawczynski <skraw.ml at ithnet.com> wrote:
> 
> On Mon, 27 Jan 2020 16:36:42 +0100
> Anand Buddhdev <anandb at ripe.net> wrote:
> 
>> On 27/01/2020 16:26, Stephan von Krawczynski wrote:
>> 
>> Hi Stephan,
>> 
>>> I would have expected that bind finds the domain by using the working
>>> nameserver and ignoring the dead one. But obviously it does not.
>>> Did I misconfigure something? I thought both nameservers should be
>>> questioned and the first working result be used, or not?  
>> 
>> Without knowing which domain it is, we can't even begin to guess at the
>> problem, because things in DNS could be broken in many different ways.
>> 
>> I would advise you to reveal the problematic domain name, and you will
>> get help much faster.
>> 
>> Regards,
>> Anand
> 
> Hello Anand,
> 
> the domain in question is "dqb.info".
> Please keep in mind, the domain is in no way related to me. I was just
> notified by access customers that we fail to deliver it.
> 
> -- 
> Regards,
> Stephan
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list