Bug#1007105: bind9: reports failure before even querying

herrmann Fri, 11 Mar 2022 01:45:17 -0800

Package: bind9
Version: bind9/stable,now 1:9.16.22-1~deb11u1 amd64
Severity: important


-- System Information:
Debian Release: 11.2
  APT prefers stable
  APT policy: (700, 'stable'), (500, 'stable-updates'), (500,
'oldstable') Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-10-amd64
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)


Report: In certain, but unpredictable cases, Bind reports a query
failure, before Bind even tries to query the requested domain.

But if the same request is sent immediately again, Bind resolves as
expected and gives the correct answer to the client.

I'm not sure, if this is really a bug. Chances are big, that it is a 
configuration failure on my site. But if the latter, till now I've found 
nothing helpful in the documentation.

 A dump of the network traffic shows following behaviour (lines 7 to 12
in the attached pcap dump):
The client (172.16.2.222) asks Bind to resolve essentra.com.
Bind tries to retrieve from 162.159.2.9 (cloudflare) the addresses not
for essentra.com, but for anna.ns.cloudflare.com resp.
vern.ns.cloudflare.com. That is okay so far, as this two are authoritative 
nameservers for essentra.com.

Immediately after that (0,1 ms), Bind sends a failure notice to the requesting 
client.

After another 1 ms, the answers from 162.159.2.9 come in. Too late for
the client.


 The client repeats the request (lines 51 to 54 in the pcap) for
essentra.com. Bind relays this query to anna.ns.cloudflare.com
(173.245.58.102). After ~1 ms the answer from anna.ns.cloudflare.com
comes in; Bind relays the answer to the requesting client. Everything's
fine!


 The big problem of course is, that most clients (e.g. mta's like
Postfix, Browsers, ...) do not repeat their request immediately. Postfix 
typically makes the next retry ~20 min later, and then (at least more often
than not) the same cycle begins again - until finally  Postfix reports a
non delivery to the mail sender.


 This happens unpredictable and, as far as I have seen, for relative few
domains only. Whenever I have seen this behavior, the auth. nameservers
for the requested domains were either from cloudflare.com or from
microsoftonline.com

anfrage_essentra.pcap
Description: application/vnd.tcpdump.pcap

09-Mar-2022 16:40:59.744 queries: info: client @0x7f2355518268 
172.16.2.222#33886 (essentra.com): query: essentra.com IN A + (10.0.0.252)
09-Mar-2022 16:40:59.744 resolver: debug 1: fetch: essentra.com/A
09-Mar-2022 16:40:59.744 lame-servers: info: network unreachable resolving 
'essentra.com/A/IN': 2a06:98c1:50::ac40:2066#53
09-Mar-2022 16:40:59.828 lame-servers: info: network unreachable resolving 
'essentra.com/A/IN': 2606:4700:58::adf5:3bf3#53
09-Mar-2022 16:40:59.828 lame-servers: info: network unreachable resolving 
'essentra.com/A/IN': 2606:4700:50::adf5:3a66#53
09-Mar-2022 16:40:59.828 lame-servers: info: network unreachable resolving 
'essentra.com/A/IN': 2803:f800:50::6ca2:c1f3#53
09-Mar-2022 16:40:59.828 lame-servers: info: network unreachable resolving 
'essentra.com/A/IN': 2803:f800:50::6ca2:c066#53
09-Mar-2022 16:40:59.828 lame-servers: info: network unreachable resolving 
'essentra.com/A/IN': 2a06:98c1:50::ac40:21f3#53
09-Mar-2022 16:40:59.828 resolver: debug 1: fetch: anna.ns.cloudflare.com/A
09-Mar-2022 16:40:59.828 resolver: debug 1: fetch: vern.ns.cloudflare.com/A
09-Mar-2022 16:40:59.828 query-errors: info: client @0x7f2355518268 
172.16.2.222#33886 (essentra.com): query failed (failure) for essentra.com/IN/A 
at query.c:7365
[...]
09-Mar-2022 16:41:02.616 queries: info: client @0x7f234c220218 
172.16.2.222#41819 (essentra.com): query: essentra.com IN A + (10.0.0.252)
09-Mar-2022 16:41:02.616 resolver: debug 1: fetch: essentra.com/A
09-Mar-2022 16:41:02.628 queries: info: client @0x7f235553a7e8 
172.16.2.222#41427 (essentra.com): query: essentra.com IN AAAA + (10.0.0.252)
09-Mar-2022 16:41:02.628 resolver: debug 1: fetch: essentra.com/AAAA
09-Mar-2022 16:41:07.568 queries: info: client @0x7f234c220218 10.0.0.11#48603 
(25.0.16.172.in-addr.arpa): query: 25.0.16.172.in-addr.arpa IN PTR + 
(10.0.0.252)
09-Mar-2022 16:41:07.568 queries: info: client @0x7f234c220218 10.0.0.11#37720 
(exchange-2019.glatz.intern): query: exchange-2019.glatz.intern IN A + 
(10.0.0.252)
09-Mar-2022 16:41:07.840 queries: info: client @0x7f235553a7e8 10.0.0.11#39632 
(essentra.com): query: essentra.com IN MX + (10.0.0.252)
09-Mar-2022 16:41:07.840 resolver: debug 1: fetch: essentra.com/MX

Bug#1007105: bind9: reports failure before even querying

Reply via email to