[SOLVED] Re: BIND9 SERVFAIL on some .gov addresses

Warren Kumari warren at kumari.net
Wed Feb 23 21:54:08 UTC 2011


In PIX versions 6.3.2 and below you had to do:
fixup protocol dns maximum-length 4096

In later versions you need:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096

or to increase the response size length:

policy-map global_policy
class inspection_default
inspect dns maximum-length 4096


This is rumor and innuendo, I personally believe that:
a: firewalls with ALGs are the devil
b: this goes double for PIX / ASA and
c: doubled again for putting them in front of servers, especially DNS  
servers....

W

On Feb 23, 2011, at 1:13 PM, Ryan Novosielski wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A couple more gems:
> https://www.dnssec-deployment.org/wp-content/uploads/2010/03/DNSSEC-CPE-Report.pdf
>
> (really anything at dnssec-deployment.org)
>
> There was another table that I found someplace and cannot find now  
> that
> listed Cisco PIX and mentioned with a * the subtle difference between
> versions of that firewall firmware. I can't find that table anywhere  
> --
> was HTML, not in a PDF.
>
> On 02/23/2011 11:39 AM, Ryan Novosielski wrote:
>> Take a look at this. It is somewhat confusing, but it is helpful and
>> should tell you right away if you definitely have a firewall issue  
>> (and
>> frankly there's little else it could be).
>>
>> https://www.dns-oarc.net/oarc/services/replysizetest
>>
>> On 02/23/2011 11:15 AM, Shaoquan Lin wrote:
>>> Thanks, Mark,
>>
>>> Last June I asked our firewall person to make sure our firewall not
>>> blocking DNS packets over 512 bytes.  He told me our firewall was  
>>> not
>>> blocking.  I guess that might be some default setting of the  
>>> firewall
>>> and he does not really know.  I did two digs here one with +dnssec  
>>> and
>>> one without.  I got the the following:
>>
>>> 1) with +dnssec :
>>> ; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net  
>>> +dnssec
>>> ;; global options: +cmd
>>> ;; connection timed out; no servers could be reached
>>
>>> 2) without +dnssec :
>>> ; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2024
>>> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
>>
>>> ;; QUESTION SECTION:
>>> ;vwall4a.nyc.gov.               IN      A
>>
>>> ;; AUTHORITY SECTION:
>>> nyc.gov.                86400   IN      NS      vwall1a.nyc.gov.
>>> nyc.gov.                86400   IN      NS      vwall2a.nyc.gov.
>>> nyc.gov.                86400   IN      NS      vwall3a.nyc.gov.
>>> nyc.gov.                86400   IN      NS      vwall4a.nyc.gov.
>>
>>> ;; ADDITIONAL SECTION:
>>> vwall1a.nyc.gov.        86400   IN      A       161.185.1.3
>>> vwall2a.nyc.gov.        86400   IN      A       161.185.1.12
>>> vwall3a.nyc.gov.        86400   IN      A       167.153.130.12
>>> vwall4a.nyc.gov.        86400   IN      A       167.153.130.13
>>
>>> ;; Query time: 31 msec
>>> ;; SERVER: 209.112.123.30#53(209.112.123.30)
>>> ;; WHEN: Wed Feb 23 11:12:48 2011
>>> ;; MSG SIZE  rcvd: 192
>>
>>> Does this show we do have a firewall problem here?
>>
>>> Shaoquan Lin
>>
>>> Mark Andrews wrote:
>>>> In message <0539E64AD2B54AD2804C2394F923800B at se179>, "Shaoquan Lin"
>>>> writes:
>>>>
>>>>> Mark,
>>>>>
>>>>> Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3?  My  
>>>>> problem is
>>>>> that I
>>>>> can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov  
>>>>> from
>>>>> b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older
>>>>> BINDs like
>>>>> 9.3.  I don't know if the problem is with the authoritative
>>>>> nameservers for gov or the nameservers for nyc.gov or with the  
>>>>> BIND I
>>>>> am using.  I noticed the following:
>>>>>
>>>>
>>>> Just fix your firewalls to allow EDNS responses through.  While
>>>> this is a bug in the authoritative servers / interpretation of
>>>> RFC 1034, its only a issue because your firewall configuration
>>>> is a decade out of date that it is a problem.
>>>>
>>>>
>>>>> 1). a.gov-servers.net  or b.gov-servers.net  does provide A  
>>>>> records
>>>>> in the additional records of their responses for other subdomain
>>>>> under gov like treas.gov, just not nyc.gov.  So the problem seems
>>>>> with nameservers for nyc.gov.  The problem is relatively new and
>>>>> there might be some recent changes on nyc.gov.
>>>>>
>>>>
>>>> The gov servers will return glue if you let bigger answers than  
>>>> 512 bytes
>>>> through your firewall.
>>>>
>>>> ; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec vwall4a.nyc.gov
>>>> @b.gov-servers.net +dnssec
>>>> ;; global options: +cmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50028
>>>> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5
>>>>
>>>> ;; OPT PSEUDOSECTION:
>>>> ; EDNS: version: 0, flags:; udp: 1472
>>>> ;; QUESTION SECTION:
>>>> ;vwall4a.nyc.gov.        IN    A
>>>>
>>>> ;; AUTHORITY SECTION:
>>>> nyc.gov.        86400    IN    NS    vwall1a.nyc.gov.
>>>> nyc.gov.        86400    IN    NS    vwall2a.nyc.gov.
>>>> nyc.gov.        86400    IN    NS    vwall3a.nyc.gov.
>>>> nyc.gov.        86400    IN    NS    vwall4a.nyc.gov.
>>>> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8
>>>> 4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS
>>>> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2  
>>>> 86400
>>>> 20110227210022 20110222210022 47602 gov.
>>>> ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8
>>>> JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn
>>>> Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA
>>>> 1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u
>>>> In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9
>>>> CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg==
>>>>
>>>> ;; ADDITIONAL SECTION:
>>>> vwall1a.nyc.gov.    86400    IN    A    161.185.1.3
>>>> vwall2a.nyc.gov.    86400    IN    A    161.185.1.12
>>>> vwall3a.nyc.gov.    86400    IN    A    167.153.130.12
>>>> vwall4a.nyc.gov.    86400    IN    A    167.153.130.13
>>>>
>>>> ;; Query time: 187 msec
>>>> ;; SERVER: 209.112.123.30#53(209.112.123.30)
>>>> ;; WHEN: Wed Feb 23 11:54:06 2011
>>>> ;; MSG SIZE  rcvd: 574
>>>>
>>>>
>>>>> 2) Older version of Binds (like 9.3) seems able to resolve
>>>>> vwall4a.nyc.gov as shown the packets I captured in my previous e- 
>>>>> mail.
>>>>>
>>>>> What options in named.conf I can use to set "tc"?
>>>>>
>>>>> Thank you.
>>>>>
>>>>> Shaoquan Lin
>>>>>
>>
>>
>>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> - --
> - ---- _  _ _  _ ___  _  _  _
> |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
> |$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922  
> (2-0922)
> \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk1lTjMACgkQmb+gadEcsb5KSwCeJKU5Z7SXoRMJH53u1dGt8jj1
> AF4AoKWOkg6gcc9Ng4kAmebcIHv+XAIF
> =deXw
> -----END PGP SIGNATURE-----
> <novosirj.vcf>_______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users




More information about the bind-users mailing list