Authoritative and caching

Danjel Jungersen danjel at jungersen.dk
Sun Mar 23 10:18:48 UTC 2025 

On 19-02-2025 12:04, Greg Choules wrote:
> Hi Danjel.
> To obtain a packet capture use tcpdump, which is probably installed 
> already. If not, add it using your preferred package manager.
> You can dump to the screen, but I find it more useful to dump to a 
> file, which can then be analysed offline in Wireshark.
>
> A typical capture command might be:
>
>     sudo tcpdump -nvc 1000 -w <dump_file_name> host "(
>
>     192.168.20.10 or 192.168.20.11)" and port 53
>
>
OK, I tried that.

I also studied the output in wireshark.
But since this is my first try, I don't know what to look for, and 
cannot find out what's wrong.

I get:
root at mail:~# dig A mail.jungersen.dk @127.0.0.1

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> A mail.jungersen.dk @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47697
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 41461c3ea02342e40100000067dfdba11eea65ad9061831f (good)
;; QUESTION SECTION:
;mail.jungersen.dk.             IN      A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Mar 23 11:00:01 CET 2025
;; MSG SIZE  rcvd: 74

The mentioned tcpdump command gave the attached result.

Just to sum it up:
My setup:
I have a mailserver (192.168.20.9), on the same box I have bind as resolver.

I have 2 bind boxes running as "local authoritative" for the 
jungersen.dk zone (192.168.20.10 and 192.168.20.11)

This was meant to give me the result of 192.168.20.9 when looking up my 
local mailserver on my local network, while giving the 212.27.12.12 
result  when asked from the public.
The public DNS is hosted at one.com

I tried setting up dnssec to satisfy the suggested solution:

1) create a working chain of trust that links to your private zone content

But you may have guessed it, it does not work.

Does the above give enough info to give me more guidance?

TIA
Danjel


> That will capture to disk all DNS traffic to and from your forwarders, 
> up to a limit of 1000 packets, just as a safety net. Once that is 
> running, make your tests to the local machine, stop the capture, 
> upload it here if you wish or just open it in Wireshark and follow the 
> conversations and their timeline.
> It is almost certainly a DNSSEC problem though, as Mark says.
>
> Hope that helps.
> Cheers, Greg
>
> On Wed, 19 Feb 2025 at 10:22, Danjel Jungersen via bind-users 
> <bind-users at lists.isc.org> wrote:
>
>     On 19-02-2025 11:11, Marco Moock wrote:
>     > Am Wed, 19 Feb 2025 10:58:14 +0100
>     > schrieb Danjel Jungersen via bind-users <bind-users at lists.isc.org>:
>     >
>     >> But if I change /etc/resolv.conf to 127.0.0.1 something happens
>     >> If I do a dig or ping from my postfixbox to something that the
>     2 main
>     >> bind-boxes are authoratative for, it doesn't work.
>     > Please sniff the DNS traffic between the 2 machines and check if the
>     > request goes out to the authoritative server and check what it
>     replied.
>     >
>     > You can trigger the request by
>     >
>     > dig A/AAAA non-working domain @IP.
>     >
>     > Try +recurse/+norecurse to check if the issue is related to
>     those flags.
>     root at mail:~# dig A mail.jungersen.dk <http://mail.jungersen.dk>
>     @127.0.0.1 <http://127.0.0.1>
>
>     ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> A mail.jungersen.dk
>     <http://mail.jungersen.dk> @127.0.0.1 <http://127.0.0.1>
>     ;; global options: +cmd
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9792
>     ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
>     ;; OPT PSEUDOSECTION:
>     ; EDNS: version: 0, flags:; udp: 1232
>     ; COOKIE: d55e55f5d6573eaf0100000067b5af13a2e4bdccbb3ce36b (good)
>     ;; QUESTION SECTION:
>     ;mail.jungersen.dk <http://mail.jungersen.dk>. IN      A
>
>     ;; Query time: 4 msec
>     ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
>     ;; WHEN: Wed Feb 19 11:14:43 CET 2025
>     ;; MSG SIZE  rcvd: 74
>
>
>     dig +recurse A mail.jungersen.dk <http://mail.jungersen.dk>
>     @127.0.0.1 <http://127.0.0.1>
>
>     ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +recurse A
>     mail.jungersen.dk <http://mail.jungersen.dk>
>     @127.0.0.1 <http://127.0.0.1>
>     ;; global options: +cmd
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19526
>     ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
>     ;; OPT PSEUDOSECTION:
>     ; EDNS: version: 0, flags:; udp: 1232
>     ; COOKIE: 1579e49c3774139b0100000067b5af24e95ccd20f610d99d (good)
>     ;; QUESTION SECTION:
>     ;mail.jungersen.dk <http://mail.jungersen.dk>. IN      A
>
>     ;; Query time: 0 msec
>     ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
>     ;; WHEN: Wed Feb 19 11:15:00 CET 2025
>     ;; MSG SIZE  rcvd: 74
>
>
>     dig +norecurse A mail.jungersen.dk <http://mail.jungersen.dk>
>     @127.0.0.1 <http://127.0.0.1>
>
>     ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +norecurse A
>     mail.jungersen.dk <http://mail.jungersen.dk>
>     @127.0.0.1 <http://127.0.0.1>
>     ;; global options: +cmd
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10118
>     ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
>
>     ;; OPT PSEUDOSECTION:
>     ; EDNS: version: 0, flags:; udp: 1232
>     ; COOKIE: 689869318da8e64c0100000067b5af33f48840b2e116d76e (good)
>     ;; QUESTION SECTION:
>     ;mail.jungersen.dk <http://mail.jungersen.dk>. IN      A
>
>     ;; AUTHORITY SECTION:
>     .                       3600000 IN      NS E.ROOT-SERVERS.NET
>     <http://E.ROOT-SERVERS.NET>.
>     .                       3600000 IN      NS F.ROOT-SERVERS.NET
>     <http://F.ROOT-SERVERS.NET>.
>     .                       3600000 IN      NS L.ROOT-SERVERS.NET
>     <http://L.ROOT-SERVERS.NET>.
>     .                       3600000 IN      NS C.ROOT-SERVERS.NET
>     <http://C.ROOT-SERVERS.NET>.
>     .                       3600000 IN      NS B.ROOT-SERVERS.NET
>     <http://B.ROOT-SERVERS.NET>.
>     .                       3600000 IN      NS A.ROOT-SERVERS.NET
>     <http://A.ROOT-SERVERS.NET>.
>     .                       3600000 IN      NS J.ROOT-SERVERS.NET
>     <http://J.ROOT-SERVERS.NET>.
>     .                       3600000 IN      NS D.ROOT-SERVERS.NET
>     <http://D.ROOT-SERVERS.NET>.
>     .                       3600000 IN      NS H.ROOT-SERVERS.NET
>     <http://H.ROOT-SERVERS.NET>.
>     .                       3600000 IN      NS G.ROOT-SERVERS.NET
>     <http://G.ROOT-SERVERS.NET>.
>     .                       3600000 IN      NS I.ROOT-SERVERS.NET
>     <http://I.ROOT-SERVERS.NET>.
>     .                       3600000 IN      NS K.ROOT-SERVERS.NET
>     <http://K.ROOT-SERVERS.NET>.
>     .                       3600000 IN      NS M.ROOT-SERVERS.NET
>     <http://M.ROOT-SERVERS.NET>.
>
>     ;; Query time: 0 msec
>     ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
>     ;; WHEN: Wed Feb 19 11:15:15 CET 2025
>     ;; MSG SIZE  rcvd: 297
>
>
>     Not sure how to do the sniff part(?)
>
>     But I must get some sort of answer...
>     dig A postfix.org <http://postfix.org> @127.0.0.1 <http://127.0.0.1>
>
>     ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> A postfix.org
>     <http://postfix.org> @127.0.0.1 <http://127.0.0.1>
>     ;; global options: +cmd
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2255
>     ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
>     ADDITIONAL: 1
>
>     ;; OPT PSEUDOSECTION:
>     ; EDNS: version: 0, flags:; udp: 1232
>     ; COOKIE: 6c3f5cf7e1e34e450100000067b5b035b878201ed4e8d3fd (good)
>     ;; QUESTION SECTION:
>     ;postfix.org <http://postfix.org>. IN      A
>
>     ;; ANSWER SECTION:
>     postfix.org <http://postfix.org>.            3600 IN      A      
>     65.108.3.114
>
>     ;; Query time: 852 msec
>     ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
>     ;; WHEN: Wed Feb 19 11:19:33 CET 2025
>     ;; MSG SIZE  rcvd: 84
>
>     Best regards
>     Danjel
>
>
>     -- 
>     Visit https://lists.isc.org/mailman/listinfo/bind-users to
>     unsubscribe from this list
>
>     ISC funds the development of this software with paid support
>     subscriptions. Contact us at https://www.isc.org/contact/ for more
>     information.
>
>
>     bind-users mailing list
>     bind-users at lists.isc.org
>     https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Med venlig hilsen/Kind regards
Danjel Jungersen
Mail: danjel at jungersen.dk
Mobile: +45 20 42 20 11

Jungersen Grafisk ApS,
Holsbjergvej 39, DK-2620 Albertslund,
Denmark.
Tel: +45 43 64 10 00

WEBSHOP: PRINTLIGHT.DK <https://www.printlight.dk> | WWW.JUNGERSEN.DK 
<https://www.jungersen.dk>

Logo <https://www.jungersen.dk>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250323/23bfb59b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_m_reg_125.png
Type: image/png
Size: 24506 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250323/23bfb59b/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind.cap
Type: image/cap
Size: 2608 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250323/23bfb59b/attachment-0001.bin>

More information about the bind-users mailing list