Strange DNS problem
Jukka Pakkanen
jukka.pakkanen at qnet.fi
Mon Jun 10 17:43:02 UTC 2019
-----Original Message-----
From: Chris Thompson <cet1 at hermes.cam.ac.uk> On Behalf Of Chris Thompson
Sent: 10. kesäkuuta 2019 17:30
To: Jukka Pakkanen <jukka.pakkanen at qnet.fi>
Cc: bind-users at isc.org
Subject: Re: Strange DNS problem
On Jun 10 2019, Jukka Pakkanen wrote:
>We have a strange problem related to DNS services, maybe someone here
>have a clue what could be the problem.
[…]
>An example, the client domain is raimoasikainenoy.fi.
Well, there is certainly something wrong with ns.datatower.fi [193.184.54.212], as it consistently returns server cookies that bear no relationship to the client cookie sent in the query, and in fact I get *exactly* the same one as you report:
>; <<>> DiG 9.14.2 <<>> @193.184.54.212 raimoasikainenoy.fi ns ; (1
>server found) ;; global options: +cmd ;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14591 ;; flags: qr
>aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING:
>recursion requested but not available
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 4096
>; COOKIE: a0ff0c014f65b471e0b8b271ffffffffe7bab2718129c071 (bad)
every time! (Use +qr to show the client cookie sent by dig.)
I expect you could work around this by specifying
server 193.184.54.212 { send-cookie no; };
in your named.conf, but it seems to me that BIND 9.14 ought to be able to fall back on using ns.kpk.fi [192.130.183.74] which doesn't have this server cookie problem.
--
Chris Thompson
Email: cet1 at cam.ac.uk
Then, unfortunately our nameservers won't resolve ns.kpk.fi either. So even if the fall back works, as I suppose it does, it does not help here.
; <<>> DiG 9.14.2 <<>> @ns1.qnet.fi ns.kpk.fi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64299
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5fdcace005523ca0f1b0c9c95cfe96f17497773ef05635e1 (good)
;; QUESTION SECTION:
;ns.kpk.fi. IN A
;; Query time: 0 msec
;; SERVER: 62.142.220.5#53(62.142.220.5)
;; WHEN: Mon Jun 10 20:44:17 FLE Daylight Time 2019
;; MSG SIZE rcvd: 66
And again when inquiring directly with the IP of ns.kpk.fi, we do get an answer:
; <<>> DiG 9.14.2 <<>> @192.130.183.74 ns.kpk.fi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50365
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ef9a3009864a20aaaa2e5dfe5cfe9648adfe8be2561def4d (good)
;; QUESTION SECTION:
;ns.kpk.fi. IN A
;; ANSWER SECTION:
ns.kpk.fi. 600 IN A 192.130.183.74
;; Query time: 31 msec
;; SERVER: 192.130.183.74#53(192.130.183.74)
;; WHEN: Mon Jun 10 20:45:48 FLE Daylight Time 2019
;; MSG SIZE rcvd: 82
Jukka
More information about the bind-users
mailing list