Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses

Wed, 23 Feb 2011 08:27:06 -0800 

Thanks, Mark,
Last June I asked our firewall person to make sure our firewall not blocking DNS packets over 512 bytes. He told me our firewall was not blocking. I guess that might be some default setting of the firewall and he does not really know. I did two digs here one with +dnssec and one without. I got the the following: 

1) with +dnssec :
; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec
;; global options: +cmd
;; connection timed out; no servers could be reached

2) without +dnssec :
; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2024
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;vwall4a.nyc.gov.               IN      A

;; AUTHORITY SECTION:
nyc.gov.                86400   IN      NS      vwall1a.nyc.gov.
nyc.gov.                86400   IN      NS      vwall2a.nyc.gov.
nyc.gov.                86400   IN      NS      vwall3a.nyc.gov.
nyc.gov.                86400   IN      NS      vwall4a.nyc.gov.

;; ADDITIONAL SECTION:
vwall1a.nyc.gov.        86400   IN      A       161.185.1.3
vwall2a.nyc.gov.        86400   IN      A       161.185.1.12
vwall3a.nyc.gov.        86400   IN      A       167.153.130.12
vwall4a.nyc.gov.        86400   IN      A       167.153.130.13

;; Query time: 31 msec
;; SERVER: 209.112.123.30#53(209.112.123.30)
;; WHEN: Wed Feb 23 11:12:48 2011
;; MSG SIZE  rcvd: 192

Does this show we do have a firewall problem here?

Shaoquan Lin

Mark Andrews wrote:

In message <0539E64AD2B54AD2804C2394F923800B@se179>, "Shaoquan Lin" writes:

  

Mark,

Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3?  My problem is that I

can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from 
b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older BINDs like
9.3.  I don't know if the problem is with the authoritative nameservers for 
gov or the nameservers for nyc.gov or with the BIND I am using.  I noticed 
the following:
    


Just fix your firewalls to allow EDNS responses through.  While
this is a bug in the authoritative servers / interpretation of
RFC 1034, its only a issue because your firewall configuration
is a decade out of date that it is a problem.


  

1). a.gov-servers.net  or b.gov-servers.net  does provide A records in the 
additional records of their responses for other subdomain under gov like 
treas.gov, just not nyc.gov.  So the problem seems with nameservers for 
nyc.gov.  The problem is relatively new and there might be some recent 
changes on nyc.gov.
    


The gov servers will return glue if you let bigger answers than 512 bytes
through your firewall.

; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50028
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;vwall4a.nyc.gov.               IN      A

;; AUTHORITY SECTION:
nyc.gov.                86400   IN      NS      vwall1a.nyc.gov.
nyc.gov.                86400   IN      NS      vwall2a.nyc.gov.
nyc.gov.                86400   IN      NS      vwall3a.nyc.gov.
nyc.gov.                86400   IN      NS      vwall4a.nyc.gov.
rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8 4C44934802D3 
RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS
rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400 
20110227210022 20110222210022 47602 gov. 
ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8 
JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn 
Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA 
1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u 
In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9 
CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg==

;; ADDITIONAL SECTION:
vwall1a.nyc.gov.        86400   IN      A       161.185.1.3
vwall2a.nyc.gov.        86400   IN      A       161.185.1.12
vwall3a.nyc.gov.        86400   IN      A       167.153.130.12
vwall4a.nyc.gov.        86400   IN      A       167.153.130.13

;; Query time: 187 msec
;; SERVER: 209.112.123.30#53(209.112.123.30)
;; WHEN: Wed Feb 23 11:54:06 2011
;; MSG SIZE  rcvd: 574

 
  

2) Older version of Binds (like 9.3) seems able to resolve vwall4a.nyc.gov 
as shown the packets I captured in my previous e-mail.


What options in named.conf I can use to set "tc"?

Thank you.

Shaoquan Lin

    


--
Shaoquan Lin, Computer Systems Manager
School of Engineering, City College of New York
Phone: (212) 650 6762   Fax:   (212) 650 5768   
E-mail: l...@ccny.cuny.edu

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to