Strange DNS problem

Jukka Pakkanen jukka.pakkanen at qnet.fi
Mon Jun 10 17:43:02 UTC 2019 

-----Original Message-----
From: Chris Thompson <cet1 at hermes.cam.ac.uk> On Behalf Of Chris Thompson
Sent: 10. kesäkuuta 2019 17:30
To: Jukka Pakkanen <jukka.pakkanen at qnet.fi>
Cc: bind-users at isc.org
Subject: Re: Strange DNS problem

On Jun 10 2019, Jukka Pakkanen wrote:

>We have a strange problem related to DNS services, maybe someone here 
>have a clue what could be the problem.
[…]
>An example, the client domain is raimoasikainenoy.fi.

Well, there is certainly something wrong with ns.datatower.fi [193.184.54.212], as it consistently returns server cookies that bear no relationship to the client cookie sent in the query, and in fact I get *exactly* the same one as you report:

>; <<>> DiG 9.14.2 <<>> @193.184.54.212 raimoasikainenoy.fi ns ; (1 
>server found) ;; global options: +cmd ;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14591 ;; flags: qr 
>aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: 
>recursion requested but not available
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 4096
>; COOKIE: a0ff0c014f65b471e0b8b271ffffffffe7bab2718129c071 (bad)

every time! (Use +qr to show the client cookie sent by dig.)

I expect you could work around this by specifying 

  server 193.184.54.212 { send-cookie no; };

in your named.conf, but it seems to me that BIND 9.14 ought to be able to fall back on using ns.kpk.fi [192.130.183.74] which doesn't have this server cookie problem.

--
Chris Thompson
Email: cet1 at cam.ac.uk


Then, unfortunately our nameservers won't resolve ns.kpk.fi either.  So even if the fall back works, as I suppose it does, it does not help here.

; <<>> DiG 9.14.2 <<>> @ns1.qnet.fi ns.kpk.fi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64299
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5fdcace005523ca0f1b0c9c95cfe96f17497773ef05635e1 (good)
;; QUESTION SECTION:
;ns.kpk.fi.			IN	A

;; Query time: 0 msec
;; SERVER: 62.142.220.5#53(62.142.220.5)
;; WHEN: Mon Jun 10 20:44:17 FLE Daylight Time 2019
;; MSG SIZE  rcvd: 66

And again when inquiring directly with the IP of ns.kpk.fi, we do get an answer:


; <<>> DiG 9.14.2 <<>> @192.130.183.74 ns.kpk.fi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50365
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ef9a3009864a20aaaa2e5dfe5cfe9648adfe8be2561def4d (good)
;; QUESTION SECTION:
;ns.kpk.fi.			IN	A

;; ANSWER SECTION:
ns.kpk.fi.		600	IN	A	192.130.183.74

;; Query time: 31 msec
;; SERVER: 192.130.183.74#53(192.130.183.74)
;; WHEN: Mon Jun 10 20:45:48 FLE Daylight Time 2019
;; MSG SIZE  rcvd: 82

Jukka

More information about the bind-users mailing list