Odd response from upstream DNS servers

Levi Pederson levipederson at mankatonetworks.net
Tue Jan 6 20:43:30 UTC 2015


All,


Bind is version :

root at ns1:~# named -v
BIND 9.8.4-rpz2+rl005.12-P1


And here is the Packet Disection

Packet 838 Client ---> Local Name Server
Packet 839 Local-NS ---> Upstream NS
Packet 840 Upstream-NS ---> Local-NS
Packet 841 Local-NS ---> Client

<code>

No.     Time            Source                Destination
Protocol Length Info
    838 06:11:21.064388 CLIENT         LOCAL-DNS-SERVER          DNS
 114    Standard query 0x0479  NAPTR DOMAIN-NAME-REQUEST

Frame 838: 114 bytes on wire (912 bits), 114 bytes captured (912 bits)
Ethernet II, Src: Cisco_b9:31:c0 (1c:e6:c7:b9:31:c0), Dst: Vmware_a0:18:f3
(00:50:56:a0:18:f3)
Internet Protocol Version 4, Src: CLIENT (CLIENT), Dst: LOCAL-DNS-SERVER
(LOCAL-DNS-SERVER)
User Datagram Protocol, Src Port: hydap (15000), Dst Port: domain (53)
Domain Name System (query)
    [Response In: 3400]
    Transaction ID: 0x0479
    Flags: 0x0100 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        DOMAIN-NAME-REQUEST: type NAPTR, class IN

No.     Time            Source                Destination
Protocol Length Info
    839 06:11:21.066859 LOCAL-DNS-SERVER          UPSTREAM-DNS-SERVER
  DNS      125    Standard query 0xb83c  NAPTR DOMAIN-NAME-REQUEST

Frame 839: 125 bytes on wire (1000 bits), 125 bytes captured (1000 bits)
Ethernet II, Src: Vmware_a0:18:f3 (00:50:56:a0:18:f3), Dst: Cisco_b9:31:c0
(1c:e6:c7:b9:31:c0)
Internet Protocol Version 4, Src: LOCAL-DNS-SERVER (LOCAL-DNS-SERVER), Dst:
UPSTREAM-DNS-SERVER (UPSTREAM-DNS-SERVER)
User Datagram Protocol, Src Port: 23175 (23175), Dst Port: domain (53)
Domain Name System (query)
    [Response In: 840]
    Transaction ID: 0xb83c
    Flags: 0x0110 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...1 .... = Non-authenticated data: Acceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        DOMAIN-NAME-REQUEST: type NAPTR, class IN
    Additional records
        <Root>: type OPT

No.     Time            Source                Destination
Protocol Length Info
    840 06:11:21.154523 UPSTREAM-DNS-SERVER         LOCAL-DNS-SERVER
   DNS      245    Standard query response 0xb83c

Frame 840: 245 bytes on wire (1960 bits), 245 bytes captured (1960 bits)
Ethernet II, Src: Cisco_b9:31:c0 (1c:e6:c7:b9:31:c0), Dst: Vmware_a0:18:f3
(00:50:56:a0:18:f3)
Internet Protocol Version 4, Src: UPSTREAM-DNS-SERVER
(UPSTREAM-DNS-SERVER), Dst: LOCAL-DNS-SERVER (LOCAL-DNS-SERVER)
User Datagram Protocol, Src Port: domain (53), Dst Port: 23175 (23175)
Domain Name System (response)
    [Request In: 839]
    [Time: 0.087664000 seconds]
    Transaction ID: 0xb83c
    Flags: 0x8100 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for
domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 0... .... = Recursion available: Server can't do
recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 3
    Additional RRs: 4
    Queries
        DOMAIN-NAME-REQUEST: type NAPTR, class IN
    Authoritative nameservers
        CORRECT-DNS-SERVER#1: type NS, class IN, ns CORRECT-DNS-SERVER#1
        CORRECT-DNS-SERVER#2: type NS, class IN, ns CORRECT-DNS-SERVER#2
        CORRECT-DNS-SERVER#3: type NS, class IN, ns CORRECT-DNS-SERVER#3
    Additional records
        CORRECT-DNS-SERVER#1: type A, class IN, addr IP1
        CORRECT-DNS-SERVER#2: type A, class IN, addr IP2
        CORRECT-DNS-SERVER#3: type A, class IN, addr IP3
        <Root>: type OPT

No.     Time            Source                Destination
Protocol Length Info
    841 06:11:21.157804 LOCAL-DNS-SERVER          CLIENT         DNS
 114    Standard query response 0x0479 Server failure

Frame 841: 114 bytes on wire (912 bits), 114 bytes captured (912 bits)
Ethernet II, Src: Vmware_a0:18:f3 (00:50:56:a0:18:f3), Dst: Cisco_b9:31:c0
(1c:e6:c7:b9:31:c0)
Internet Protocol Version 4, Src: LOCAL-DNS-SERVER (LOCAL-DNS-SERVER), Dst:
CLIENT (CLIENT)
User Datagram Protocol, Src Port: domain (53), Dst Port: hydap (15000)
Domain Name System (response)
    [Request In: 3379]
    [Time: -271.132014000 seconds]
    Transaction ID: 0x0479
    Flags: 0x8182 Standard query response, Server failure
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for
domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive
queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0010 = Reply code: Server failure (2)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        DOMAIN-NAME-REQUEST: type NAPTR, class IN

</code>

Any and all help would be appreciated

Thank you,


*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
levipederson at mankatonetworks.net


On Tue, Jan 6, 2015 at 2:31 PM, Adrian Beaudin <Adrian.Beaudin at nominum.com>
wrote:

>  Hi Levi,
>
>  Are you able to use dig to make sure that the server is responding
> properly?
>
>  fwiw, I have seen mobile/voice equipment in the past that had oddly
> written dns resolvers  - some caused weird issues even with valid responses.
>
>  -a
>
>    *Adrian Beaudin*
>
> Principal Architect, Special Projects
>
> Nominum, Inc. <http://www.nominum.com>
>
> o: +1.650.587.1513
>
>
> * adrian.beaudin at nominum.com <adrian.beaudin at nominum.com> *
>     ------------------------------
> *From:* bind-users-bounces at lists.isc.org [bind-users-bounces at lists.isc.org]
> on behalf of Levi Pederson [levipederson at mankatonetworks.net]
> *Sent:* Tuesday, January 06, 2015 3:25 PM
> *To:* Evan Hunt
> *Cc:* bind-users at lists.isc.org
> *Subject:* Re: Odd response from upstream DNS servers
>
>   Alrighty,
>
>  There could be a lot of sensitive information in the wire shark and I'm
> looking at how to parse that now.  Currently here is the RESPONSE.log and
> default.log information
>
>  RESPONSE.log
> <code>
>  16-Dec-2014 23:11:21.417 fetch 0x7f9d85d591d0 (fctx
> 0x7f9d7f856010(Domain-request/NAPTR)): created
> 16-Dec-2014 23:11:21.417 fctx 0x7f9d7f856010(Domain-request/NAPTR'): start
> 16-Dec-2014 23:11:21.417 fctx 0x7f9d7f856010(Domain-request/NAPTR'): try
> 16-Dec-2014 23:11:21.418 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> cancelqueries
> 16-Dec-2014 23:11:21.418 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> getaddresses
> 16-Dec-2014 23:11:21.418 fctx 0x7f9d7f856010(Domain-request/NAPTR'): query
> 16-Dec-2014 23:11:21.418 resquery 0x7f9d7f85d010 (fctx
> 0x7f9d7f856010(Domain-request/NAPTR)): send
> 16-Dec-2014 23:11:21.418 resquery 0x7f9d7f85d010 (fctx
> 0x7f9d7f856010(Domain-request/NAPTR)): sent
> 16-Dec-2014 23:11:21.418 resquery 0x7f9d7f85d010 (fctx
> 0x7f9d7f856010(Domain-request/NAPTR)): udpconnected
> 16-Dec-2014 23:11:21.419 resquery 0x7f9d7f85d010 (fctx
> 0x7f9d7f856010(Domain-request/NAPTR)): senddone
> 16-Dec-2014 23:11:21.489 resquery 0x7f9d7f85d010 (fctx
> 0x7f9d7f856010(Domain-request/NAPTR)): response
> ;Domain-request.        IN NAPTR
>
>  UPSTREAM RESPONSES
>
>  UPSTREAM-RESPONSE 86400 IN A Correct-IP#1
> UPSTREAM-RESPONSE 86400 IN A Correct-IP#2
> UPSTREAM-RESPONSE 86285 IN A Correct-IP#3
> 16-Dec-2014 23:11:21.490 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> noanswer_response
> 16-Dec-2014 23:11:21.490 log_ns_ttl: fctx 0x7f9d7f856010:
> noanswer_response: Domain-request (in 'domain-name'?): 1 86285
> 16-Dec-2014 23:11:21.490 fctx 0x7f9d7f856010: trimming ttl of
> domain-name/NS for Domain-request/NAPTR: 86400 -> 86285
> 16-Dec-2014 23:11:21.490 DNS format error from upstreamServer#53 resolving
> Domain-request/NAPTR for client CLIENT-IP#15000: non-improving referral
> 16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> cancelquery
> 16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> add_bad
> 16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'): try
> 16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> cancelqueries
> 16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> getaddresses
> 16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'): no
> addresses
> 16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'): done
> 16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> stopeverything
> 16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> cancelqueries
> 16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> sendevents
> 16-Dec-2014 23:11:21.492 fetch 0x7f9d85d591d0 (fctx
> 0x7f9d7f856010(Domain-request/NAPTR)): destroyfetch
> 16-Dec-2014 23:11:21.492 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> shutdown
> 16-Dec-2014 23:11:21.492 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> doshutdown
> 16-Dec-2014 23:11:21.492 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> stopeverything
> 16-Dec-2014 23:11:21.492 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> cancelqueries
> 16-Dec-2014 23:11:21.492 fctx 0x7f9d7f856010(Domain-request/NAPTR'): unlink
> 16-Dec-2014 23:11:21.492 fctx 0x7f9d7f856010(Domain-request/NAPTR'):
> destroy
>
>  </code>
>
>  Default.LOG
>
>  17-Dec-2014 00:07:38.205 query-errors: debug 2: fetch completed at
> resolver.c:3073 for domain-name/A in 0.071177: failure/success
> [domain:domain-name,referral:0,restart:2,qrysent:
> 1,timeout:0,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]
>
>
>  While I know the Time stamps are different the same thing happens with
> each request.  Now onto the wireshark parse.
>
>    *Levi Pederson*
> Mankato Networks LLC
> cell | 612.481.0769
> work | 612.787.7392
> levipederson at mankatonetworks.net
>
>
> On Tue, Jan 6, 2015 at 1:48 PM, Evan Hunt <each at isc.org> wrote:
>
>> On Tue, Jan 06, 2015 at 01:03:10PM -0600, Levi Pederson wrote:
>> > However I can see the request come back to my server only to be
>> rejected as
>> > FORMERR  and DNS format error badresp:1
>>
>> It looks like the upstream server send a badly formatted response.  We'd
>> be
>> better equipped to diagnose the problem if you told us what query you were
>> trying to resolve, and what version of BIND you're running.
>>
>> --
>> Evan Hunt -- each at isc.org
>> Internet Systems Consortium, Inc.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150106/c1bea23e/attachment-0001.html>


More information about the bind-users mailing list