Hi Sami. Firstly, a couple of definitions: NXDOMAIN is a response from an authoritative server (or a resolver because it cached it). It is a positive confirmation that "this name does not exist". It means that the QNAME in the query cannot be found, for any record type. SERVFAIL is a response from a recursive server meaning "I tried my best to get a response to your query but I just failed".
So if your monitoring tool, whatever it is, is receiving SERVFAIL responses from your DNS server then you need to fix whatever is causing those in the server. Causes of SERVFAIL could be that your server cannot contact the authoritative server(s) that should know the answer. Or it might be because your server is trying to do DNSSEC validation and that is failing. The best way to know *why* you are getting SERVFAIL would be to take a packet capture that includes the client queries to the server and any queries the server makes to try and get answers, plus all the responses. Please do that and share the results, using real domains, not examples. Hope that helps, Greg On Mon, 19 Jun 2023 at 09:39, <[email protected]> wrote: > Hello Thank you for your feedback, > yes it works like that! for that does not work for a domain name that > already has the return code "SERVFAIL" and we want to change this code by > "NXDDOMAIN" like this domain name "antlauncher.com" > regards Rahal > > -----Message d'origine----- > De : bind-users <[email protected]> De la part de > [email protected] > Envoyé : samedi 17 juin 2023 06:23 > À : [email protected] > Objet : bind-users Digest, Vol 4262, Issue 1 > > Send bind-users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.isc.org/mailman/listinfo/bind-users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific than > "Re: Contents of bind-users digest..." > > > Today's Topics: > > 1. replace "SERVFAIL" to "NXDOMAIN" with rpz > ([email protected]) > 2. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Crist Clark) > 3. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Fred Morris) > 4. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Ond?ej Sur?) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 16 Jun 2023 20:39:43 +0000 > From: [email protected] > To: "[email protected]" <[email protected]> > Subject: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: <[email protected]> > Content-Type: text/plain; charset="us-ascii" > > > Hello > For monitoring reasons I try to change the return code of a domain name > from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of > BIND9.16.42 as follows: > example.com IN CNAME. > *.example.com IN CNAME . > But it still doesn't work, I still have the message " SERVFAIL", is it > feasible or not please ? > Kind regards > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://lists.isc.org/pipermail/bind-users/attachments/20230616/aa23b454/attachment-0001.htm > > > > ------------------------------ > > Message: 2 > Date: Fri, 16 Jun 2023 20:29:16 -0700 > From: Crist Clark <[email protected]> > To: [email protected] > Cc: "[email protected]" <[email protected]> > Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: > <CAAcrURK2=+uqQ+_AvVbiAV2jpagOhd= > [email protected]> > Content-Type: text/plain; charset="utf-8" > > That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ > action. Something is wrong with your configuration. > > On Fri, Jun 16, 2023 at 1:39?PM <[email protected]> wrote: > > > > > > > Hello > > > > For monitoring reasons I try to change the return code of a domain > > name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration > > of > > BIND9.16.42 as follows: > > > > example.com IN CNAME. > > > > *.example.com IN CNAME . > > > > But it still doesn't work, I still have the message " SERVFAIL", is > > it feasible or not please ? > > > > Kind regards > > > > > > -- > > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > > from this list > > > > ISC funds the development of this software with paid support > > subscriptions. Contact us at https://www.isc.org/contact/ for more > > information. > > > > > > bind-users mailing list > > [email protected] > > https://lists.isc.org/mailman/listinfo/bind-users > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://lists.isc.org/pipermail/bind-users/attachments/20230616/42776b6c/attachment-0001.htm > > > > ------------------------------ > > Message: 3 > Date: Fri, 16 Jun 2023 21:40:11 -0700 (PDT) > From: Fred Morris <[email protected]> > To: "[email protected]" <[email protected]> > Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > Admittedly, since I'm writing software to do "off label" stuff with DNS I > make mistakes. But I have seen things along this line (interactions between > RPZ and regular resolution in the context of "broken" domains): in some > cases it has seemed impossible to ameliorate / mitigate SERVFAIL utilizing > RPZ. > > I'll try to pay more attention and see if I can isolate a test case if the > problem recurs. (I was kind of hoping someone would have a solution!) > > -- > > Fred Morris > > On Fri, 16 Jun 2023, Crist Clark wrote: > > > > That should return a NXDOMAIN. Returning SERVFAIL is never a normal > > RPZ action. Something is wrong with your configuration. > > > > On Fri, Jun 16, 2023 at 1:39?PM <[email protected]> wrote: > >> > >> For monitoring reasons I try to change the return code of a domain > >> name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration > >> of > >> BIND9.16.42 as follows: > >> > >> example.com IN CNAME. > >> > >> *.example.com IN CNAME . > >> > >> But it still doesn't work, I still have the message " SERVFAIL", is > >> it feasible or not please ? > >> > > ------------------------------ > > Message: 4 > Date: Sat, 17 Jun 2023 07:22:50 +0200 > From: Ond?ej Sur? <[email protected]> > To: Fred Morris <[email protected]> > Cc: [email protected] > Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: <[email protected]> > Content-Type: text/plain; charset="us-ascii" > > An HTML attachment was scrubbed... > URL: < > https://lists.isc.org/pipermail/bind-users/attachments/20230617/a5b1eca8/attachment.htm > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: favicon.ico > Type: image/x-icon > Size: 766 bytes > Desc: not available > URL: < > https://lists.isc.org/pipermail/bind-users/attachments/20230617/a5b1eca8/attachment.bin > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users > > > ------------------------------ > > End of bind-users Digest, Vol 4262, Issue 1 > ******************************************* > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
