Another server that doesn't like edns

Mark_Andrews at isc.org Mark_Andrews at isc.org
Mon Jul 8 02:37:33 UTC 2002


> 	I figured I'd mention this here because last time this topic came
> up, Mark was able to use the data to improve bind 8's edns stuff. I saw
> lots of "refused query on non-query socket" errors from one IP after
> upgrading to bind 8.3.3 on my resolvers. I know from reading here is often
> a symptom of edns problems. The IP is 207.14.100.134, which it turns out
> is being used as the IP of two different name servers:
> 
> dig @207.14.100.134 -x 207.14.100.134 ptr
> 
> ; <<>> DiG 8.3 <<>> @207.14.100.134 -x ptr
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> ;; QUERY SECTION:
> ;;      134.100.14.207.in-addr.arpa, type = PTR, class = IN
> 
> ;; ANSWER SECTION:
> 134.100.14.207.in-addr.arpa.  1D IN A  207.14.100.134
> 
> ;; AUTHORITY SECTION:
> 134.100.14.207.in-addr.arpa.  1D IN NS  NS1.INTERIMNAMESERVER.COM.
> 134.100.14.207.in-addr.arpa.  1D IN NS  NS2.INTERIMNAMESERVER.COM.
> 
> ;; ADDITIONAL SECTION:
> NS1.INTERIMNAMESERVER.COM.  1D IN A  207.14.100.134
> NS2.INTERIMNAMESERVER.COM.  1D IN A  207.14.100.134

	You need to make dig use EDNS.  Looks like it just sends the
	query back to you.

dig @207.14.100.134 -x 207.14.100.134 ptr +dnssec

; <<>> DiG 8.3 <<>> @207.14.100.134 -x ptr +dnssec 
; (1 server found)
;; res options: init recurs defnam dnsrch dnssec
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3339
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUERY SECTION:
;;      134.100.14.207.in-addr.arpa, type = PTR, class = IN

;; ADDITIONAL SECTION:
; EDNS: version: 0, udp=4096, flags=8000

;; Total query time: 234 msec
;; FROM: drugs.dv.isc.org to SERVER: 207.14.100.134  207.14.100.134
;; WHEN: Mon Jul  8 12:20:34 2002
;; MSG SIZE  sent: 56  rcvd: 56

	Also look at this garbage response to a SOA query.

; <<>> DiG 8.3 <<>> soa INTERIMNAMESERVER.COM @207.14.100.134 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;;	INTERIMNAMESERVER.COM, type = SOA, class = IN

;; ANSWER SECTION:
INTERIMNAMESERVER.COM.	1D IN A		207.14.100.134

;; AUTHORITY SECTION:
INTERIMNAMESERVER.COM.	1D IN NS	NS1.INTERIMNAMESERVER.COM.
INTERIMNAMESERVER.COM.	1D IN NS	NS2.INTERIMNAMESERVER.COM.

;; ADDITIONAL SECTION:
NS1.INTERIMNAMESERVER.COM.  1D IN A  207.14.100.134
NS2.INTERIMNAMESERVER.COM.  1D IN A  207.14.100.134

;; Total query time: 287 msec
;; FROM: drugs.dv.isc.org to SERVER: 207.14.100.134
;; WHEN: Mon Jul  8 12:28:34 2002
;; MSG SIZE  sent: 39  rcvd: 165
	
	Mark

> Those name servers are authoritative for a lot of zones that my users want
> to visit, so I was getting a lot of errors. Interstingly enough, the qr
> flag is set on the response when I use dig. In the past, the edns problems
> I read about were related to the lack of that flag. I haven't done any
> tcpdumping of the traffic to and from my resolvers though... sorry. I do
> know that when I put
> 
> server 207.14.100.134   { edns no; };
> 
> in my configs, the problem goes away, and users are able to surf to those
> domains.
> 
> HTH,
> 
> Doug
> -- 
>    "We have known freedom's price. We have shown freedom's power.
>       And in this great conflict, ...  we will see freedom's victory."
> 	- George W. Bush, President of the United States
>           State of the Union, January 28, 2002
> 
>          Do YOU Yahoo!?
> 
> 
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org


More information about the bind-users mailing list