[SOLVED] Re: BIND9 SERVFAIL on some .gov addresses
lin at ccny.cuny.edu
Wed Feb 23 16:15:02 UTC 2011
Last June I asked our firewall person to make sure our firewall not
blocking DNS packets over 512 bytes. He told me our firewall was not
blocking. I guess that might be some default setting of the firewall
and he does not really know. I did two digs here one with +dnssec and
one without. I got the the following:
1) with +dnssec :
; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec
;; global options: +cmd
;; connection timed out; no servers could be reached
2) without +dnssec :
; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2024
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;vwall4a.nyc.gov. IN A
;; AUTHORITY SECTION:
nyc.gov. 86400 IN NS vwall1a.nyc.gov.
nyc.gov. 86400 IN NS vwall2a.nyc.gov.
nyc.gov. 86400 IN NS vwall3a.nyc.gov.
nyc.gov. 86400 IN NS vwall4a.nyc.gov.
;; ADDITIONAL SECTION:
vwall1a.nyc.gov. 86400 IN A 18.104.22.168
vwall2a.nyc.gov. 86400 IN A 22.214.171.124
vwall3a.nyc.gov. 86400 IN A 126.96.36.199
vwall4a.nyc.gov. 86400 IN A 188.8.131.52
;; Query time: 31 msec
;; SERVER: 184.108.40.206#53(220.127.116.11)
;; WHEN: Wed Feb 23 11:12:48 2011
;; MSG SIZE rcvd: 192
Does this show we do have a firewall problem here?
Mark Andrews wrote:
> In message <0539E64AD2B54AD2804C2394F923800B at se179>, "Shaoquan Lin" writes:
>> Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My problem is that I
>> can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from
>> b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older BINDs like
>> 9.3. I don't know if the problem is with the authoritative nameservers for
>> gov or the nameservers for nyc.gov or with the BIND I am using. I noticed
>> the following:
> Just fix your firewalls to allow EDNS responses through. While
> this is a bug in the authoritative servers / interpretation of
> RFC 1034, its only a issue because your firewall configuration
> is a decade out of date that it is a problem.
>> 1). a.gov-servers.net or b.gov-servers.net does provide A records in the
>> additional records of their responses for other subdomain under gov like
>> treas.gov, just not nyc.gov. So the problem seems with nameservers for
>> nyc.gov. The problem is relatively new and there might be some recent
>> changes on nyc.gov.
> The gov servers will return glue if you let bigger answers than 512 bytes
> through your firewall.
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50028
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1472
> ;; QUESTION SECTION:
> ;vwall4a.nyc.gov. IN A
> ;; AUTHORITY SECTION:
> nyc.gov. 86400 IN NS vwall1a.nyc.gov.
> nyc.gov. 86400 IN NS vwall2a.nyc.gov.
> nyc.gov. 86400 IN NS vwall3a.nyc.gov.
> nyc.gov. 86400 IN NS vwall4a.nyc.gov.
> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8 4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS
> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400 20110227210022 20110222210022 47602 gov. ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8 JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA 1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9 CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg==
> ;; ADDITIONAL SECTION:
> vwall1a.nyc.gov. 86400 IN A 18.104.22.168
> vwall2a.nyc.gov. 86400 IN A 22.214.171.124
> vwall3a.nyc.gov. 86400 IN A 126.96.36.199
> vwall4a.nyc.gov. 86400 IN A 188.8.131.52
> ;; Query time: 187 msec
> ;; SERVER: 184.108.40.206#53(220.127.116.11)
> ;; WHEN: Wed Feb 23 11:54:06 2011
> ;; MSG SIZE rcvd: 574
>> 2) Older version of Binds (like 9.3) seems able to resolve vwall4a.nyc.gov
>> as shown the packets I captured in my previous e-mail.
>> What options in named.conf I can use to set "tc"?
>> Thank you.
>> Shaoquan Lin
Shaoquan Lin, Computer Systems Manager
School of Engineering, City College of New York
Phone: (212) 650 6762 Fax: (212) 650 5768
E-mail: lin at ccny.cuny.edu
More information about the bind-users