Missing cookie
Mark Andrews
marka at isc.org
Mon May 20 01:26:58 UTC 2024
> On 20 May 2024, at 07:37, J Doe <general at nativemethods.com> wrote:
>
> Hi list,
>
> I run a validating recursive resolver with BIND 9.18.27. Over the
> course of many days, I have noted the following warning about a missing
> cookie from a particular server:
>
> 09-May-2024 20:09:22.277 resolver: info: missing expected cookie
> from 192.5.5.241#53
>
> This server runs in the cloud with excellent connectivity, I don't do
> anything special with my firewall and I do not run any software that
> would mutate the DNS data over port 53.
>
> What could be causing the cookie to not be received from this particular
> server over a number of days ?
>
> Thanks,
>
> - J
Named keeps track of where it has received DNS COOKIE responses from and
expects to get one if it has received one before from that address. Depending
upon the version named will fallback to TCP if it thinks that is should have
got a DNS COOKIE responses but didn’t. Having different server capabilities
in an anycast server can lead to this message being logged. Also spoofing
attempts can lead to this message.
As for 192.5.5.241 the instances run by Cloudflare on ISC’s behalf don’t
support DNS COOKIE where as those run by ISC directly do. Changes in
routing can mean that the particular instance that answers your query will
change.
Mark
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list