Queries to a positively cached zone are failing (phila.gov)

Greg Chavez greg.chavez at gmail.com
Wed Mar 15 14:52:10 UTC 2006


On 3/15/06, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>  Ronan Flood <ronan at noc.ulcc.ac.uk> wrote
> > Also BIND will be using EDNS,
>
> % dig +bufsize=1024  @dns.phila.gov NS phila.gov
>
> ; <<>> DiG 9.2.4 <<>> +bufsize=1024 @dns.phila.gov NS phila.gov
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 58304
> ;; flags: qr rd ra; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; Query time: 119 msec
> ;; SERVER: 170.115.249.10#53(dns.phila.gov)
> ;; WHEN: Wed Mar 15 14:02:35 2006
> ;; MSG SIZE  rcvd: 12
>
>
> Now, BIND should retry without EDNS, no?

First thing I did when I saw Ronan's message was to slap myself on the
head.  The second thing I did was add this to named.conf:

        server 170.115.249.10 { edns no;};
        server 170.115.249.11 { edns no;};

The third thing I did was test it and the fourth thing I did was slap
myself again when it didn't work.  Same old same old.  Dig queries to
the phila.gov name servers work; queries by BIND time out.

Times out: that's an important distinction.  BIND doesn't get back a
FORMERR; the remote name server *never responds* to the query.

; <<>> DiG 8.3 <<>> ns phila.gov
;; res options: init recurs defnam dnsrch
;; res_nsend to server default -- 127.0.0.1: Connection timed out

Here are the results of my packet analysis using snoop.  The Ether and
IP were identical.  The DNS headers are mostly similar, save for the
RD flag.  I don't know what else to look for.

DIG-to-phila.gov (gets NXDOMAIN response):

ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 1 arrived at 8:45:20.51
ETHER:  Packet size = 74 bytes
ETHER:  Destination = 0:11:43:dc:3a:38,
ETHER:  Source      = 0:3:ba:2:e9:e6,
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 60 bytes
IP:   Identification = 37693
IP:   Identification = 37693
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 255 seconds/hops
IP:   Protocol = 17 (UDP)
IP:   Header checksum = 720a
IP:   Source address = 10.X.X.25, 10.X.X.25
IP:   Destination address = 170.115.249.10, 170.115.249.10
IP:   No options
IP:
UDP:  ----- UDP Header -----
UDP:
UDP:  Source port = 33102
UDP:  Destination port = 53 (DNS)
UDP:  Length = 40
UDP:  Checksum = 1076
UDP:
DNS:  ----- DNS Header -----
DNS:
DNS:  Query ID = 4
DNS:  Opcode: Query
DNS:  RD (Recursion Desired)
DNS:  1 question(s)
DNS:      Domain Name: test.phila.gov.
DNS:      Class: 1 (Internet)
DNS:      Type:  1 (Address)
DNS:


           0: 0011 43dc 3a38 0003 ba02 e9e6 0800 4500    ..C.:8........E.
          16: 003c 933d 4000 ff11 720a 0ad1 c819 aa73    .<.=@...r......s
          32: f90a 814e 0035 0028 1076 0004 0100 0001    ...N.5.(.v......
          48: 0000 0000 0000 0474 6573 7405 7068 696c    .......test.phil
          64: 6103 676f 7600 0001 0001                   a.gov.....

BIND-to-phila.gov (no edns, times out):

ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 3 arrived at 8:43:16.49
ETHER:  Packet size = 74 bytes
ETHER:  Destination = 0:11:43:dc:3a:38,
ETHER:  Source      = 0:3:ba:2:e9:e6,
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 60 bytes
IP:   Identification = 51839
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 255 seconds/hops
IP:   Protocol = 17 (UDP)
IP:   Header checksum = 3ac8
IP:   Source address = 10.X.X.25, 10.X.X.25
IP:   Destination address = 170.115.249.10, 170.115.249.10
IP:   No options
IP:
UDP:  ----- UDP Header -----
UDP:
UDP:  Source port = 32768
UDP:  Destination port = 53 (DNS)
UDP:  Length = 40
UDP:  Checksum = 7233
UDP:
DNS:  ----- DNS Header -----
DNS:
DNS:  Query ID = 41108
DNS:  Opcode: Query
DNS:
DNS:  1 question(s)
DNS:      Domain Name: test.phila.gov.
DNS:      Class: 1 (Internet)
DNS:      Type:  1 (Address)
DNS:


           0: 0011 43dc 3a38 0003 ba02 e9e6 0800 4500    ..C.:8........E.
          16: 003c ca7f 4000 ff11 3ac8 0ad1 c819 aa73    .<.. at ...:......s
          32: f90a 8000 0035 0028 7233 a094 0000 0001    .....5.(r3......
          48: 0000 0000 0000 0474 6573 7405 7068 696c    .......test.phil
          64: 6103 676f 7600 0001 0001                   a.gov.....


These packets go through a pix firewall before they reach the wild. 
One of our network engineers was able to confirm that both of  these
packets were leaving the firewall.  I also got a hold of the phila.gov
folks for a time, although they have yet to come close to figuring out
how to check DNS and network logs and tables.  I am hoping that they
will soon provide me with reasonable troubleshooting data.

--
--Greg Chavez
--



More information about the bind-users mailing list