BIND 9 recursive queries returning SERVFAIL for 'legit' domain
marka at isc.org
Wed Jun 17 23:57:34 UTC 2020
> On 17 Jun 2020, at 18:45, Ian Springett <ian.springett at giacom.com> wrote:
> I have an issue with BIND 9.14.11 and recursive queries to one particular domain. DIG result is SERVFAIL and ‘bad cookie’ is logged in /var/log/messages & /var/log/named.run
> The domain has two DNS servers behind a load balancer which is causing the bad cookie result. Would this in itself be enough to cause the SERVFAIL and if so is there a way to have exceptions for known ‘good’ domains?
Load balancers shouldn’t cause “bad cookie” (client cookie component not echoed back in the cookie response) as apposed to the BADCOOKIE rcode which can be caused by misconfigured shared secrets. Named will handle the BADCOOKIE rcode switching to TCP if necessary. “bad cookie” indicates a botched DNS COOKIE implementation in the server, a broken full answer cache mechanism that hasn’t considered that EDNS options modify responses, or someone is attempting to spoof a reply and is including a DNS COOKIE (named assumes this is the case and waits for the legitimate).
Ondrej’s suggestions are the way to go here.
> Ian Springett
> Hosted Services Engineer
> Giacom World Networks Ltd
> Tel: 0845 305 5577
> Fax: 01482 330194
> Email: ian.springett at giacom.com
> Website: www.giacom.com
> Legally privileged/confidential information may be contained in this message. If you are not the addressee(s) legally indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet e-mail messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.
> Please note that neither my employer nor I accept any responsibility for viruses and it is your responsibility to scan attachments (if any). This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify me by returning the email.
> Giacom World Networks Limited, Company No 03813447 Registered in England & Wales, Registered Office: Bridge Haven One, Saxon Way, Priory Park, Hessle, East Yorkshire HU13 9PG.
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> bind-users mailing list
> bind-users at lists.isc.org
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users