resolver: DNS format errors
Mark Andrews
marka at isc.org
Thu Sep 7 20:06:49 UTC 2023
Spamhaus’s servers are sending back responses that do not answer the question. Named is doing QNAME minimisation using NS queries and rather than the servers sending back a NODATA response for the empty non-terminal names they are sending back the NS records for the top of the zone.
I suggest that you ask them to fix their DNS servers to correctly answer NS queries. They appear to need to look at the query name as well as the query type.
This is what often happens when you write custom DNS servers. You fail to handle some query you weren’t planning for.
Mark
--
Mark Andrews
> On 8 Sep 2023, at 04:41, Alex <mysqlstudent at gmail.com> wrote:
>
>
> Hi,
>
> I have a fedora38 server with bind-9.18.17 and receiving the following log entries for virtually every query (where "mykey" is my registered spamhaus DQS key):
> 07-Sep-2023 14:30:13.608 lame-servers: FORMERR resolving 'mykey.hbl.dq.spamhaus.net/NS/IN': 66.42.94.100#53
> 07-Sep-2023 14:30:13.625 resolver: DNS format error from 143.215.143.8#53 resolving mykey.hbl.dq.spamhaus.net/NS for <unknown>: reply has no answer
> 07-Sep-2023 14:30:13.625 lame-servers: FORMERR resolving 'mykey.hbl.dq.spamhaus.net/NS/IN': 143.215.143.8#53
> 07-Sep-2023 14:30:13.628 lame-servers: success resolving 'psnobcays3v2r52vapfv5fgvr6pgd6znvuzyhe5ktid3ty3oai4q._file.mykey.hbl.dq.spamhaus.net/A' after disabling qname minimization due to 'failure'
>
> 07-Sep-2023 14:39:30.214 lame-servers: success resolving '22.10.223.192.bl.spamcop.net/A' after disabling qname minimization due to 'ncache nxdomain'
>
> For some reason my config isn't ignoring lame-servers, but it does look relevant and related to the resolver errors.
>
> I've tried to experiment with including "minimal responses yes;" in my config, based on some reading about a similar issue years ago, but it doesn't change anything. This nameserver provides DNS across a VPN link to a remote system on a cable modem because having the server (also fedora38) query DNS directly on a cable modem was resulting in some other weird errors.
>
> Any ideas greatly appreciated.
>
> acl "trusted" {
> { 127/8; };
> { 68.195.44.40/29; };
> { 147.135.111.126; };
> };
> options {
> listen-on port 53 { 127.0.0.1; 147.135.111.126; };
> listen-on-v6 port 53 { none; };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> secroots-file "/var/named/data/named.secroots";
> recursing-file "/var/named/data/named.recursing";
> allow-query { trusted; };
> allow-query-cache { trusted; };
> minimal-responses yes;
> recursion yes;
> managed-keys-directory "/var/named/dynamic";
> geoip-directory "/usr/share/GeoIP";
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> include "/etc/crypto-policies/back-ends/bind.config";
> };
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> channel named_debug {
> severity dynamic;
> file "/var/log/named.debug.log" versions 2 size 100m;
> print-time yes;
> print-category yes;
> };
> category default { named_debug; };
> channel query_info {
> severity info;
> file "/var/log/named.query.log" versions 3 size 5m;
> print-time yes;
> print-category yes;
> };
> category queries { query_info; };
> };
> zone "." IN {
> type hint;
> file "named.ca";
> };
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230908/9ce7e3bf/attachment-0001.htm>
More information about the bind-users
mailing list