[SOLVED] Re: BIND9 SERVFAIL on some .gov addresses

Ryan Novosielski novosirj at umdnj.edu
Wed Feb 23 22:18:21 UTC 2011 

There was also a message-length client auto or something like that too 
for some versions of some Cisco HW, but if memory serves, the version 
that introduced it is broken. :)

On 02/23/2011 04:54 PM, Warren Kumari wrote:
> In PIX versions 6.3.2 and below you had to do:
> fixup protocol dns maximum-length 4096
>
> In later versions you need:
>
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 4096
>
> or to increase the response size length:
>
> policy-map global_policy
> class inspection_default
> inspect dns maximum-length 4096
>
>
> This is rumor and innuendo, I personally believe that:
> a: firewalls with ALGs are the devil
> b: this goes double for PIX / ASA and
> c: doubled again for putting them in front of servers, especially DNS
> servers....
>
> W
>
> On Feb 23, 2011, at 1:13 PM, Ryan Novosielski wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> A couple more gems:
>> https://www.dnssec-deployment.org/wp-content/uploads/2010/03/DNSSEC-CPE-Report.pdf
>>
>>
>> (really anything at dnssec-deployment.org)
>>
>> There was another table that I found someplace and cannot find now that
>> listed Cisco PIX and mentioned with a * the subtle difference between
>> versions of that firewall firmware. I can't find that table anywhere --
>> was HTML, not in a PDF.
>>
>> On 02/23/2011 11:39 AM, Ryan Novosielski wrote:
>>> Take a look at this. It is somewhat confusing, but it is helpful and
>>> should tell you right away if you definitely have a firewall issue (and
>>> frankly there's little else it could be).
>>>
>>> https://www.dns-oarc.net/oarc/services/replysizetest
>>>
>>> On 02/23/2011 11:15 AM, Shaoquan Lin wrote:
>>>> Thanks, Mark,
>>>
>>>> Last June I asked our firewall person to make sure our firewall not
>>>> blocking DNS packets over 512 bytes. He told me our firewall was not
>>>> blocking. I guess that might be some default setting of the firewall
>>>> and he does not really know. I did two digs here one with +dnssec and
>>>> one without. I got the the following:
>>>
>>>> 1) with +dnssec :
>>>> ; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net
>>>> +dnssec
>>>> ;; global options: +cmd
>>>> ;; connection timed out; no servers could be reached
>>>
>>>> 2) without +dnssec :
>>>> ; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net
>>>> ;; global options: +cmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2024
>>>> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
>>>
>>>> ;; QUESTION SECTION:
>>>> ;vwall4a.nyc.gov. IN A
>>>
>>>> ;; AUTHORITY SECTION:
>>>> nyc.gov. 86400 IN NS vwall1a.nyc.gov.
>>>> nyc.gov. 86400 IN NS vwall2a.nyc.gov.
>>>> nyc.gov. 86400 IN NS vwall3a.nyc.gov.
>>>> nyc.gov. 86400 IN NS vwall4a.nyc.gov.
>>>
>>>> ;; ADDITIONAL SECTION:
>>>> vwall1a.nyc.gov. 86400 IN A 161.185.1.3
>>>> vwall2a.nyc.gov. 86400 IN A 161.185.1.12
>>>> vwall3a.nyc.gov. 86400 IN A 167.153.130.12
>>>> vwall4a.nyc.gov. 86400 IN A 167.153.130.13
>>>
>>>> ;; Query time: 31 msec
>>>> ;; SERVER: 209.112.123.30#53(209.112.123.30)
>>>> ;; WHEN: Wed Feb 23 11:12:48 2011
>>>> ;; MSG SIZE rcvd: 192
>>>
>>>> Does this show we do have a firewall problem here?
>>>
>>>> Shaoquan Lin
>>>
>>>> Mark Andrews wrote:
>>>>> In message <0539E64AD2B54AD2804C2394F923800B at se179>, "Shaoquan Lin"
>>>>> writes:
>>>>>
>>>>>> Mark,
>>>>>>
>>>>>> Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My problem is
>>>>>> that I
>>>>>> can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from
>>>>>> b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older
>>>>>> BINDs like
>>>>>> 9.3. I don't know if the problem is with the authoritative
>>>>>> nameservers for gov or the nameservers for nyc.gov or with the BIND I
>>>>>> am using. I noticed the following:
>>>>>>
>>>>>
>>>>> Just fix your firewalls to allow EDNS responses through. While
>>>>> this is a bug in the authoritative servers / interpretation of
>>>>> RFC 1034, its only a issue because your firewall configuration
>>>>> is a decade out of date that it is a problem.
>>>>>
>>>>>
>>>>>> 1). a.gov-servers.net or b.gov-servers.net does provide A records
>>>>>> in the additional records of their responses for other subdomain
>>>>>> under gov like treas.gov, just not nyc.gov. So the problem seems
>>>>>> with nameservers for nyc.gov. The problem is relatively new and
>>>>>> there might be some recent changes on nyc.gov.
>>>>>>
>>>>>
>>>>> The gov servers will return glue if you let bigger answers than 512
>>>>> bytes
>>>>> through your firewall.
>>>>>
>>>>> ; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec vwall4a.nyc.gov
>>>>> @b.gov-servers.net +dnssec
>>>>> ;; global options: +cmd
>>>>> ;; Got answer:
>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50028
>>>>> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5
>>>>>
>>>>> ;; OPT PSEUDOSECTION:
>>>>> ; EDNS: version: 0, flags:; udp: 1472
>>>>> ;; QUESTION SECTION:
>>>>> ;vwall4a.nyc.gov. IN A
>>>>>
>>>>> ;; AUTHORITY SECTION:
>>>>> nyc.gov. 86400 IN NS vwall1a.nyc.gov.
>>>>> nyc.gov. 86400 IN NS vwall2a.nyc.gov.
>>>>> nyc.gov. 86400 IN NS vwall3a.nyc.gov.
>>>>> nyc.gov. 86400 IN NS vwall4a.nyc.gov.
>>>>> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8
>>>>> 4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS
>>>>> rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400
>>>>> 20110227210022 20110222210022 47602 gov.
>>>>> ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8
>>>>> JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn
>>>>> Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA
>>>>> 1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u
>>>>> In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9
>>>>> CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg==
>>>>>
>>>>> ;; ADDITIONAL SECTION:
>>>>> vwall1a.nyc.gov. 86400 IN A 161.185.1.3
>>>>> vwall2a.nyc.gov. 86400 IN A 161.185.1.12
>>>>> vwall3a.nyc.gov. 86400 IN A 167.153.130.12
>>>>> vwall4a.nyc.gov. 86400 IN A 167.153.130.13
>>>>>
>>>>> ;; Query time: 187 msec
>>>>> ;; SERVER: 209.112.123.30#53(209.112.123.30)
>>>>> ;; WHEN: Wed Feb 23 11:54:06 2011
>>>>> ;; MSG SIZE rcvd: 574
>>>>>
>>>>>
>>>>>> 2) Older version of Binds (like 9.3) seems able to resolve
>>>>>> vwall4a.nyc.gov as shown the packets I captured in my previous
>>>>>> e-mail.
>>>>>>
>>>>>> What options in named.conf I can use to set "tc"?
>>>>>>
>>>>>> Thank you.
>>>>>>
>>>>>> Shaoquan Lin
>>>>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>> - --
>> - ---- _ _ _ _ ___ _ _ _
>> |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer
>> |$&| |__| | | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
>> \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAk1lTjMACgkQmb+gadEcsb5KSwCeJKU5Z7SXoRMJH53u1dGt8jj1
>> AF4AoKWOkg6gcc9Ng4kAmebcIHv+XAIF
>> =deXw
>> -----END PGP SIGNATURE-----
>> <novosirj.vcf>_______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: novosirj.vcf
Type: text/x-vcard
Size: 301 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110223/cbc15144/attachment.vcf>

More information about the bind-users mailing list