Ask for help with SERVFAIL

Mark Andrews marka at isc.org
Fri Dec 2 04:47:52 UTC 2022 

The DNS server at 119.29.29.29 is broken.  It does not implement EDNS (RFC 6891)
correctly.  Some of the errors may be due to a misconfigured firewall in front of
the server.  This is the section of RFC 6891 the server is not following and it
is designed to allow clients to use options the server does not know about which
allows new options to be deployed without causing problems.  The same with ignoring
unknown options in responses.

   Any OPTION-CODE values not understood by a responder or requestor
   MUST be ignored.  Specifications of such options might wish to
   include some kind of signaled acknowledgement.  For example, an
   option specification might say that if a responder sees and supports
   option XYZ, it MUST include option XYZ in its response.

The server is echoing back the unknown option "; COOKIE: 45aac8f8acbe209c (echoed)”.
If DNS COOKIE is not supported this should not be present in the response and if
DNS COOKIE is implemented then a server cookie should also be present in the response.

It is not ignoring an unknown option 100 when they are added to the request.  The
request is being dropped.

It is not responding to requests that happen to have both a client and server
cookie present. The expected response if DNS COOKIE is supported is BADCOOKIE,
as this example has a server cookie that did not come from the server being
queried, if DNS COOKIE is supported or no COOKIE option if it is not supported.

Complain to qq.com that they are running non-compliant DNS servers and are breaking
DNS interoperability.  You can workaround the issue by telling named to not send DNS
COOKIES in its requests.

e.g.
	server 119.29.29.29 { send-cookie false; };

Mark

% dig www.qq.com @119.29.29.29 +norec

; <<>> DiG 9.19.6-dev <<>> www.qq.com @119.29.29.29 +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53841
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 45aac8f8acbe209c (echoed)
;; QUESTION SECTION:
;www.qq.com.			IN	A

;; ANSWER SECTION:
www.qq.com.		60	IN	CNAME	ins-r23tsuuf.ias.tencent-cloud.net.
ins-r23tsuuf.ias.tencent-cloud.net. 88 IN A	121.14.77.221
ins-r23tsuuf.ias.tencent-cloud.net. 88 IN A	121.14.77.201

;; Query time: 209 msec
;; SERVER: 119.29.29.29#53(119.29.29.29) (UDP)
;; WHEN: Fri Dec 02 15:15:39 AEDT 2022
;; MSG SIZE  rcvd: 131

% dig www.qq.com @119.29.29.29 +norec +qr +ednsopt=100

; <<>> DiG 9.19.6-dev <<>> www.qq.com @119.29.29.29 +norec +qr +ednsopt=100
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32627
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0322cb71fefb91f7
; OPT=100:
;; QUESTION SECTION:
;www.qq.com.			IN	A

;; QUERY SIZE: 55

;; communications error to 119.29.29.29#53: timed out
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32627
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0322cb71fefb91f7
; OPT=100:
;; QUESTION SECTION:
;www.qq.com.			IN	A

;; QUERY SIZE: 55

;; communications error to 119.29.29.29#53: timed out
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32627
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0322cb71fefb91f7
; OPT=100:
;; QUESTION SECTION:
;www.qq.com.			IN	A

;; QUERY SIZE: 55

;; communications error to 119.29.29.29#53: timed out
;; no servers could be reached

% dig www.qq.com @119.29.29.29 +norec +qr +cookie=57dc9aec153f36470100000063897e4ed466568c4ab8742a

; <<>> DiG 9.19.6-dev <<>> www.qq.com @119.29.29.29 +norec +qr +cookie=57dc9aec153f36470100000063897e4ed466568c4ab8742a
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54256
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 57dc9aec153f36470100000063897e4ed466568c4ab8742a
;; QUESTION SECTION:
;www.qq.com.			IN	A

;; QUERY SIZE: 67

;; communications error to 119.29.29.29#53: timed out
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54256
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 57dc9aec153f36470100000063897e4ed466568c4ab8742a
;; QUESTION SECTION:
;www.qq.com.			IN	A

;; QUERY SIZE: 67

;; communications error to 119.29.29.29#53: timed out
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54256
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 57dc9aec153f36470100000063897e4ed466568c4ab8742a
;; QUESTION SECTION:
;www.qq.com.			IN	A

;; QUERY SIZE: 67

;; communications error to 119.29.29.29#53: timed out
;; no servers could be reached


%

> On 2 Dec 2022, at 14:52, 张星 <zhangxing888 at 163.com> wrote:
> 
> 'servfail' exception occurs after BIND runs for a period of time, restart bind :servfail does not appear
> 
> but,After running for some time, it still had the same 'servfail' problem
> 
> 
> 
> #./sbin/named -V
> BIND 9.11.5 (Extended Support Version) <id:3b0b204>
> running on Linux x86_64 3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4 15:04:05 UTC 2017
> built by make with '--prefix=/home/bind/' '--enable-filter-aaaa' '--with-tuning=large' '--enable-largefile' '--enable-threads'
> compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-28)
> compiled with OpenSSL version: OpenSSL 1.0.2k  26 Jan 2017
> linked to OpenSSL version: OpenSSL 1.0.2k-fips  26 Jan 2017
> compiled with zlib version: 1.2.7
> linked to zlib version: 1.2.7
> threads support is enabled
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list