Massive increase of SERVFAIL after April 28th 2025.
vincent at cojot.name
vincent at cojot.name
Thu May 1 18:56:35 UTC 2025
Hi Michael,
Thank you so much for chiming in!
> My guess is that something is in the way, and it's probably trying to
> attack you (or your ISP) with fake replies, but it's doing a bad job.
>
> When I do:
> dig +short +nsid version.bind. txt ch dns4.p08.nsone.net
>
> I get:
> "9.21.2-1+0~20241120.131+debian12~1.gbpa6576d-Debian"
Spot on! Here's what I get:
# dig +short +nsid version.bind. txt ch dns4.p08.nsone.net
"9.16.23-RH"
198.51.45.72
Free.fr is my ISP but "9.16.23-RH" suspiciously looks like the bind
version I'm running on RHEL9:
# rndc status|grep version
version: BIND 9.16.23-RH (Extended Support Version) <id:fde3b1f>
> If you get something different, then that would be consistent with something
> else intercepting your traffic.
Could my DNS servers be doing this to themselves?
> :-(
> But that does suggest that something else is in the way.
> Did you forward with Do53, or did you use DoT/DoH?
> {No idea if bind can forward over DoH, I never tried}
>
> > - I tried to turn off dnssec completely but that barely made a difference:
>
> > dnssec-enable no;
> > dnssec-validation no;
>
> Won't matter, since github doesn't do DNSSEC, so the NXDOMAINs can't be
> validated (or rejected as invalid)
>
> > The only way to get back to a working state is to add back some forwarders.
>
> > Any ideas? Am I doing anything wrong? I'm attaching a sanitized copy of my
> > named.conf in case someone could spot something:
>
> I think you did everything right.
> I think talking to your upstream ISP is in order.
Thank you!
Vincent
More information about the bind-users
mailing list