<div dir="ltr"><div>All,</div><div><br></div><div><br></div><div>Bind is version :</div><div><br></div><div><div>root@ns1:~# named -v</div><div>BIND 9.8.4-rpz2+rl005.12-P1</div></div><div><br></div><div><br></div><div>And here is the Packet Disection</div><div><br></div><div>Packet 838 Client ---> Local Name Server</div><div>Packet 839 Local-NS ---> Upstream NS</div><div>Packet 840 Upstream-NS ---> Local-NS</div><div>Packet 841 Local-NS ---> Client</div><div><br></div><div><code></div><div><br></div><div>No. Time Source Destination Protocol Length Info</div><div> 838 06:11:21.064388 CLIENT LOCAL-DNS-SERVER DNS 114 Standard query 0x0479 NAPTR DOMAIN-NAME-REQUEST</div><div><br></div><div>Frame 838: 114 bytes on wire (912 bits), 114 bytes captured (912 bits)</div><div>Ethernet II, Src: Cisco_b9:31:c0 (1c:e6:c7:b9:31:c0), Dst: Vmware_a0:18:f3 (00:50:56:a0:18:f3)</div><div>Internet Protocol Version 4, Src: CLIENT (CLIENT), Dst: LOCAL-DNS-SERVER (LOCAL-DNS-SERVER)</div><div>User Datagram Protocol, Src Port: hydap (15000), Dst Port: domain (53)</div><div>Domain Name System (query)</div><div> [Response In: 3400]</div><div> Transaction ID: 0x0479</div><div> Flags: 0x0100 Standard query</div><div> 0... .... .... .... = Response: Message is a query</div><div> .000 0... .... .... = Opcode: Standard query (0)</div><div> .... ..0. .... .... = Truncated: Message is not truncated</div><div> .... ...1 .... .... = Recursion desired: Do query recursively</div><div> .... .... .0.. .... = Z: reserved (0)</div><div> .... .... ...0 .... = Non-authenticated data: Unacceptable</div><div> Questions: 1</div><div> Answer RRs: 0</div><div> Authority RRs: 0</div><div> Additional RRs: 0</div><div> Queries</div><div> DOMAIN-NAME-REQUEST: type NAPTR, class IN</div><div><br></div><div>No. Time Source Destination Protocol Length Info</div><div> 839 06:11:21.066859 LOCAL-DNS-SERVER UPSTREAM-DNS-SERVER DNS 125 Standard query 0xb83c NAPTR DOMAIN-NAME-REQUEST</div><div><br></div><div>Frame 839: 125 bytes on wire (1000 bits), 125 bytes captured (1000 bits)</div><div>Ethernet II, Src: Vmware_a0:18:f3 (00:50:56:a0:18:f3), Dst: Cisco_b9:31:c0 (1c:e6:c7:b9:31:c0)</div><div>Internet Protocol Version 4, Src: LOCAL-DNS-SERVER (LOCAL-DNS-SERVER), Dst: UPSTREAM-DNS-SERVER (UPSTREAM-DNS-SERVER)</div><div>User Datagram Protocol, Src Port: 23175 (23175), Dst Port: domain (53)</div><div>Domain Name System (query)</div><div> [Response In: 840]</div><div> Transaction ID: 0xb83c</div><div> Flags: 0x0110 Standard query</div><div> 0... .... .... .... = Response: Message is a query</div><div> .000 0... .... .... = Opcode: Standard query (0)</div><div> .... ..0. .... .... = Truncated: Message is not truncated</div><div> .... ...1 .... .... = Recursion desired: Do query recursively</div><div> .... .... .0.. .... = Z: reserved (0)</div><div> .... .... ...1 .... = Non-authenticated data: Acceptable</div><div> Questions: 1</div><div> Answer RRs: 0</div><div> Authority RRs: 0</div><div> Additional RRs: 1</div><div> Queries</div><div> DOMAIN-NAME-REQUEST: type NAPTR, class IN</div><div> Additional records</div><div> <Root>: type OPT</div><div><br></div><div>No. Time Source Destination Protocol Length Info</div><div> 840 06:11:21.154523 UPSTREAM-DNS-SERVER LOCAL-DNS-SERVER DNS 245 Standard query response 0xb83c </div><div><br></div><div>Frame 840: 245 bytes on wire (1960 bits), 245 bytes captured (1960 bits)</div><div>Ethernet II, Src: Cisco_b9:31:c0 (1c:e6:c7:b9:31:c0), Dst: Vmware_a0:18:f3 (00:50:56:a0:18:f3)</div><div>Internet Protocol Version 4, Src: UPSTREAM-DNS-SERVER (UPSTREAM-DNS-SERVER), Dst: LOCAL-DNS-SERVER (LOCAL-DNS-SERVER)</div><div>User Datagram Protocol, Src Port: domain (53), Dst Port: 23175 (23175)</div><div>Domain Name System (response)</div><div> [Request In: 839]</div><div> [Time: 0.087664000 seconds]</div><div> Transaction ID: 0xb83c</div><div> Flags: 0x8100 Standard query response, No error</div><div> 1... .... .... .... = Response: Message is a response</div><div> .000 0... .... .... = Opcode: Standard query (0)</div><div> .... .0.. .... .... = Authoritative: Server is not an authority for domain</div><div> .... ..0. .... .... = Truncated: Message is not truncated</div><div> .... ...1 .... .... = Recursion desired: Do query recursively</div><div> .... .... 0... .... = Recursion available: Server can't do recursive queries</div><div> .... .... .0.. .... = Z: reserved (0)</div><div> .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server</div><div> .... .... ...0 .... = Non-authenticated data: Unacceptable</div><div> .... .... .... 0000 = Reply code: No error (0)</div><div> Questions: 1</div><div> Answer RRs: 0</div><div> Authority RRs: 3</div><div> Additional RRs: 4</div><div> Queries</div><div> DOMAIN-NAME-REQUEST: type NAPTR, class IN</div><div> Authoritative nameservers</div><div> CORRECT-DNS-SERVER#1: type NS, class IN, ns CORRECT-DNS-SERVER#1</div><div> CORRECT-DNS-SERVER#2: type NS, class IN, ns CORRECT-DNS-SERVER#2</div><div> CORRECT-DNS-SERVER#3: type NS, class IN, ns CORRECT-DNS-SERVER#3</div><div> Additional records</div><div> CORRECT-DNS-SERVER#1: type A, class IN, addr IP1</div><div> CORRECT-DNS-SERVER#2: type A, class IN, addr IP2</div><div> CORRECT-DNS-SERVER#3: type A, class IN, addr IP3</div><div> <Root>: type OPT</div><div><br></div><div>No. Time Source Destination Protocol Length Info</div><div> 841 06:11:21.157804 LOCAL-DNS-SERVER CLIENT DNS 114 Standard query response 0x0479 Server failure</div><div><br></div><div>Frame 841: 114 bytes on wire (912 bits), 114 bytes captured (912 bits)</div><div>Ethernet II, Src: Vmware_a0:18:f3 (00:50:56:a0:18:f3), Dst: Cisco_b9:31:c0 (1c:e6:c7:b9:31:c0)</div><div>Internet Protocol Version 4, Src: LOCAL-DNS-SERVER (LOCAL-DNS-SERVER), Dst: CLIENT (CLIENT)</div><div>User Datagram Protocol, Src Port: domain (53), Dst Port: hydap (15000)</div><div>Domain Name System (response)</div><div> [Request In: 3379]</div><div> [Time: -271.132014000 seconds]</div><div> Transaction ID: 0x0479</div><div> Flags: 0x8182 Standard query response, Server failure</div><div> 1... .... .... .... = Response: Message is a response</div><div> .000 0... .... .... = Opcode: Standard query (0)</div><div> .... .0.. .... .... = Authoritative: Server is not an authority for domain</div><div> .... ..0. .... .... = Truncated: Message is not truncated</div><div> .... ...1 .... .... = Recursion desired: Do query recursively</div><div> .... .... 1... .... = Recursion available: Server can do recursive queries</div><div> .... .... .0.. .... = Z: reserved (0)</div><div> .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server</div><div> .... .... ...0 .... = Non-authenticated data: Unacceptable</div><div> .... .... .... 0010 = Reply code: Server failure (2)</div><div> Questions: 1</div><div> Answer RRs: 0</div><div> Authority RRs: 0</div><div> Additional RRs: 0</div><div> Queries</div><div> DOMAIN-NAME-REQUEST: type NAPTR, class IN</div><div><br></div><div></code></div><div><br></div><div>Any and all help would be appreciated</div><div><br></div><div>Thank you,</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><font color="#660000">Levi Pederson</font></b><div><font color="#660000">Mankato Networks LLC</font></div><div><font color="#660000">cell | 612.481.0769</font></div><div><font color="#660000">work | 612.787.7392</font></div><div><a href="mailto:levipederson@mankatonetworks.net" target="_blank">levipederson@mankatonetworks.net</a></div><div><img src="http://www.mankatonetworks.com/images/mn_logo_email.png" width="200" height="21"><br></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Tue, Jan 6, 2015 at 2:31 PM, Adrian Beaudin <span dir="ltr"><<a href="mailto:Adrian.Beaudin@nominum.com" target="_blank">Adrian.Beaudin@nominum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div style="direction:ltr;font-family:Tahoma;color:#000000;font-size:10pt">Hi Levi,
<div><br>
</div>
<div>Are you able to use dig to make sure that the server is responding properly?</div>
<div><br>
</div>
<div>fwiw, I have seen mobile/voice equipment in the past that had oddly written dns resolvers - some caused weird issues even with valid responses.</div>
<div><br>
</div>
<div>-a<br>
<div><br>
<div style="font-family:Tahoma;font-size:13px">
<div style="font-family:Tahoma;font-size:13px">
<div style="font-family:Tahoma;font-size:13px">
<div style="font-family:Tahoma;font-size:13px">
<div style="font-family:Tahoma;font-size:13px"><span style="color:rgb(45,70,87);font-family:Arial,sans-serif"><font><font><font>
<p class="MsoNormal" style="font-weight:bold;color:rgb(45,70,87);margin:0in 0in 0.0001pt;font-size:11pt">
<font color="#424242"><b><font size="3"><span style="font-size:12px">Adrian Beaudin</span></font></b><font size="3"><span style="font-size:12px"></span></font></font></p>
<p class="MsoNormal" style="font-weight:bold;color:rgb(45,70,87);margin:0in 0in 0.0001pt;font-size:11pt">
<span style="font-weight:normal"><font color="#424242" size="3"><span style="font-size:12px">Principal Architect, Special Projects<br>
</span></font></span></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt"><a href="http://www.nominum.com" target="_blank"><font color="#ff0000">Nominum, Inc.</font></a></p>
<font size="3" style="font-weight:bold;font-size:medium;color:rgb(45,70,88)"><span style="font-size:12px"></span></font><b style="font-weight:bold;font-size:medium;color:rgb(45,70,88)"></b>
<p class="MsoNormal" style="font-weight:bold;color:rgb(45,70,87);margin:0in 0in 0.0001pt;font-size:11pt">
<span style="color:rgb(66,66,66);font-size:12px;font-weight:normal">o: <a href="tel:%2B1.650.587.1513" value="+16505871513" target="_blank">+1.650.587.1513</a></span></p>
<p class="MsoNormal" style="font-weight:bold;color:rgb(45,70,87);margin:0in 0in 0.0001pt;font-size:11pt">
<span style="font-weight:normal"><font size="3"><span style="font-size:12px"><span style="font-size:medium"></span></span></font></span></p>
<font size="3" style="font-weight:bold;font-size:medium;color:rgb(45,70,87)"><b><font color="#424242" size="3"><b>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt"><span style="font-weight:normal"><font size="3"><span style="font-size:12px"><a href="mailto:adrian.beaudin@nominum.com" target="_blank">adrian.beaudin@nominum.com</a></span></font></span></p>
<div><span style="font-weight:normal"><font size="3"><span style="font-size:12px"><br>
</span></font></span></div>
</b></font></b></font></font></font></font></span><font><span style="font-size:10pt"><br>
</span></font></div>
</div>
</div>
</div>
</div>
</div>
<div style="font-family:Times New Roman;color:#000000;font-size:16px">
<hr>
<div style="direction:ltr"><font face="Tahoma" color="#000000"><b>From:</b> <a href="mailto:bind-users-bounces@lists.isc.org" target="_blank">bind-users-bounces@lists.isc.org</a> [<a href="mailto:bind-users-bounces@lists.isc.org" target="_blank">bind-users-bounces@lists.isc.org</a>] on behalf of Levi Pederson [<a href="mailto:levipederson@mankatonetworks.net" target="_blank">levipederson@mankatonetworks.net</a>]<br>
<b>Sent:</b> Tuesday, January 06, 2015 3:25 PM<br>
<b>To:</b> Evan Hunt<br>
<b>Cc:</b> <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<b>Subject:</b> Re: Odd response from upstream DNS servers<br>
</font><br>
</div>
<div></div>
<div>
<div dir="ltr">Alrighty,
<div><br>
</div>
<div>There could be a lot of sensitive information in the wire shark and I'm looking at how to parse that now. Currently here is the RESPONSE.log and default.log information</div>
<div><br>
</div>
<div>RESPONSE.log</div>
<div><code></div>
<div>
<div>16-Dec-2014 23:11:21.417 fetch 0x7f9d85d591d0 (fctx 0x7f9d7f856010(Domain-request/NAPTR)): created</div>
<div>16-Dec-2014 23:11:21.417 fctx 0x7f9d7f856010(Domain-request/NAPTR'): start</div>
<div>16-Dec-2014 23:11:21.417 fctx 0x7f9d7f856010(Domain-request/NAPTR'): try</div>
<div>16-Dec-2014 23:11:21.418 fctx 0x7f9d7f856010(Domain-request/NAPTR'): cancelqueries</div>
<div>16-Dec-2014 23:11:21.418 fctx 0x7f9d7f856010(Domain-request/NAPTR'): getaddresses</div>
<div>16-Dec-2014 23:11:21.418 fctx 0x7f9d7f856010(Domain-request/NAPTR'): query</div>
<div>16-Dec-2014 23:11:21.418 resquery 0x7f9d7f85d010 (fctx 0x7f9d7f856010(Domain-request/NAPTR)): send</div>
<div>16-Dec-2014 23:11:21.418 resquery 0x7f9d7f85d010 (fctx 0x7f9d7f856010(Domain-request/NAPTR)): sent</div>
<div>16-Dec-2014 23:11:21.418 resquery 0x7f9d7f85d010 (fctx 0x7f9d7f856010(Domain-request/NAPTR)): udpconnected</div>
<div>16-Dec-2014 23:11:21.419 resquery 0x7f9d7f85d010 (fctx 0x7f9d7f856010(Domain-request/NAPTR)): senddone</div>
<div>16-Dec-2014 23:11:21.489 resquery 0x7f9d7f85d010 (fctx 0x7f9d7f856010(Domain-request/NAPTR)): response</div>
<div>;Domain-request. IN NAPTR</div>
<div><br>
</div>
<div>UPSTREAM RESPONSES</div>
<div><br>
</div>
<div>UPSTREAM-RESPONSE 86400 IN A Correct-IP#1</div>
<div>UPSTREAM-RESPONSE 86400 IN A Correct-IP#2</div>
<div>UPSTREAM-RESPONSE 86285 IN A Correct-IP#3</div>
<div>16-Dec-2014 23:11:21.490 fctx 0x7f9d7f856010(Domain-request/NAPTR'): noanswer_response</div>
<div>16-Dec-2014 23:11:21.490 log_ns_ttl: fctx 0x7f9d7f856010: noanswer_response: Domain-request (in 'domain-name'?): 1 86285</div>
<div>16-Dec-2014 23:11:21.490 fctx 0x7f9d7f856010: trimming ttl of domain-name/NS for Domain-request/NAPTR: 86400 -> 86285</div>
<div><span style="background-color:rgb(255,255,0)">16-Dec-2014 23:11:21.490 DNS format error from upstreamServer#53 resolving Domain-request/NAPTR for client CLIENT-IP#15000: non-improving referral</span></div>
<div>16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'): cancelquery</div>
<div>16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'): add_bad</div>
<div>16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'): try</div>
<div>16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'): cancelqueries</div>
<div>16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'): getaddresses</div>
<div>16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'): no addresses</div>
<div>16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'): done</div>
<div>16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'): stopeverything</div>
<div>16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'): cancelqueries</div>
<div>16-Dec-2014 23:11:21.491 fctx 0x7f9d7f856010(Domain-request/NAPTR'): sendevents</div>
<div>16-Dec-2014 23:11:21.492 fetch 0x7f9d85d591d0 (fctx 0x7f9d7f856010(Domain-request/NAPTR)): destroyfetch</div>
<div>16-Dec-2014 23:11:21.492 fctx 0x7f9d7f856010(Domain-request/NAPTR'): shutdown</div>
<div>16-Dec-2014 23:11:21.492 fctx 0x7f9d7f856010(Domain-request/NAPTR'): doshutdown</div>
<div>16-Dec-2014 23:11:21.492 fctx 0x7f9d7f856010(Domain-request/NAPTR'): stopeverything</div>
<div>16-Dec-2014 23:11:21.492 fctx 0x7f9d7f856010(Domain-request/NAPTR'): cancelqueries</div>
<div>16-Dec-2014 23:11:21.492 fctx 0x7f9d7f856010(Domain-request/NAPTR'): unlink</div>
<div>16-Dec-2014 23:11:21.492 fctx 0x7f9d7f856010(Domain-request/NAPTR'): destroy</div>
<div><br>
</div>
<div></code></div>
<div><br>
</div>
<div>Default.LOG</div>
<div><br>
</div>
<div><span style="font-size:13px">17-Dec-2014 00:07:38.205 query-errors: debug 2: fetch completed at resolver.c:3073 for domain-name/A in 0.071177: failure/success [domain:domain-name,</span><span style="font-size:13px">referral:0,restart:2,qrysent:</span><span style="font-size:13px">1,timeout:0,lame:0,neterr:0,</span><span style="font-size:13px;background-color:rgb(255,255,0)">badresp</span><span style="font-size:13px"><span style="background-color:rgb(255,255,0)">:1</span>,adberr:0,findfail:0,</span><span style="font-size:13px">valfail:0]</span><br>
</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div>While I know the Time stamps are different the same thing happens with each request. Now onto the wireshark parse.</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><b><font color="#660000">Levi Pederson</font></b>
<div><font color="#660000">Mankato Networks LLC</font></div>
<div><font color="#660000">cell | <a href="tel:612.481.0769" value="+16124810769" target="_blank">612.481.0769</a></font></div>
<div><font color="#660000">work | <a href="tel:612.787.7392" value="+16127877392" target="_blank">612.787.7392</a></font></div>
<div><a href="mailto:levipederson@mankatonetworks.net" target="_blank">levipederson@mankatonetworks.net</a></div>
<div><img src="http://www.mankatonetworks.com/images/mn_logo_email.png" height="21" width="200"><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Tue, Jan 6, 2015 at 1:48 PM, Evan Hunt <span dir="ltr">
<<a href="mailto:each@isc.org" target="_blank">each@isc.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Tue, Jan 06, 2015 at 01:03:10PM -0600, Levi Pederson wrote:<br>
> However I can see the request come back to my server only to be rejected as<br>
> FORMERR and DNS format error badresp:1<br>
<br>
It looks like the upstream server send a badly formatted response. We'd be<br>
better equipped to diagnose the problem if you told us what query you were<br>
trying to resolve, and what version of BIND you're running.<span class="HOEnZb"><font color="#888888"><br>
<span><font color="#888888"><br>
--<br>
Evan Hunt -- <a href="mailto:each@isc.org" target="_blank">each@isc.org</a><br>
Internet Systems Consortium, Inc.<br>
</font></span></font></span></blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></div><br></div>