Sometimes DNS does not resolv domains

Daniel Ryslink daniel.ryslink at dialtelecom.cz
Mon Feb 9 15:40:38 UTC 2015 

Hello

Investigate if it's not related to the problems with EDNS0 support and 
the fallback mechanism in Bind, as described in this article:

https://kb.isc.org/article/AA-01219/

It's described as one of the outstanding issues of both the latest 
versions of bind 9.9 and 9.10:

Refinements to EDNS fallback behavior in BIND 9.9.6 and 9.10.1 may 
prevent named (running as a recursive server) from attempting a final 
query using UDP without EDNS0 in some rare situations where prior 
queries using EDNS0 with both and TCP did not obtain usable answers.  
For more details see https://kb.isc.org/article/AA-01219/.

I am finding a lot of these errors lately, and I cannot find out if it's 
related or not:

09-Feb-2015 12:36:11.904 query-errors: debug 1: client 
109.80.225.36#34954 (ihned.cz): query failed (SERVFAIL) for 
ihned.cz/IN/AAAA at query.c:7025
09-Feb-2015 12:36:11.904 query-errors: debug 2: fetch completed at 
resolver.c:3080 for ihned.cz/AAAA in 0.000504: failure/success 
[domain:ihned.cz,referral:0,restart:2,qrysent:2,timeout:0,lame:0,neterr:2,badresp:0,adberr:0,findfail:0,valfail:0]

I can confirm that the server sometimes fails to resolve the requesed 
name, returning the SERVFAIL opcode.

-- 
S pozdravem,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.ryslink at dialtelecom.cz
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------

On 02/08/2015 10:06 PM, Eliezer Croitoru wrote:
> Hey David,
>
> Do you have any logs enabled in your settings?
> The logs can help a lot to minimize the issues.
> There is a nice example of settings at:
> http://stackoverflow.com/a/12114139
>
> Which can be a starter to give you more then you have now.
> Notice that the issue might come from something that is not in your 
> hands at all.
> You can decide which "channel" to enable or disable.
>
> Also you can verify something in your config about dnssec.
> If your server is now dnssec enabled try disabling it and see what 
> happens.
>
> Eliezer
>
> On 08/02/2015 20:35, David Woodfall wrote:
>> Any ideas what might be causing this?
>>
>> Version: bind-9.9.6_P1-x86_64-1_slack14.1
>>
>> Thanks
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list