Re: BIND DNS problem after upgrading from Wheezy to Squeeze
Pascal Hambourgwrote: > Le 29/12/2017 à 18:27, Andrew W a écrit : >> >> On 27/12/2017 13:18, Bernhard Schmidt wrote: >>> Current BIND9 defaults to doing DNSSEC verification. DNSSEC needs large >>> packets. You might have an issue with UDP fragments being dropped at >>> your firewall/NAT Gateway? >>> >> Thanks for this tip. Looking into it I discovered TCP seems to be >> recommened for DNSSEC so Ive enabled TCP port 53 and so far not had a >> problem! > > AFAIK TCP is just a fall-back transport to work around UDP packet size > issues. Compared to UDP, TCP transport for DNS wastes system and network > resources. Yes and no. For a single query, UDP is indeed more efficient. You can have long-standing TCP connections though (multiple queries through the same TCP channel, sometimes used between Client and Resolver, optionally with TLS), UDP > 1400 Bytes (Fragments) is often blocked by Firewalls or misconfigured links, and due to the possibility of spoofing in UDP (reflexive DDoS) some authoritative servers force clients to use TCP (i.e. RRL or DNS COOKIE). IOW, if you block TCP outbound for your resolver, you are asking for trouble. Bernhard
Re: BIND DNS problem after upgrading from Wheezy to Squeeze
Le 29/12/2017 à 18:27, Andrew W a écrit : On 27/12/2017 13:18, Bernhard Schmidt wrote: Current BIND9 defaults to doing DNSSEC verification. DNSSEC needs large packets. You might have an issue with UDP fragments being dropped at your firewall/NAT Gateway? Thanks for this tip. Looking into it I discovered TCP seems to be recommened for DNSSEC so Ive enabled TCP port 53 and so far not had a problem! AFAIK TCP is just a fall-back transport to work around UDP packet size issues. Compared to UDP, TCP transport for DNS wastes system and network resources.
Re: BIND DNS problem after upgrading from Wheezy to Squeeze
On 27/12/2017 13:18, Bernhard Schmidt wrote: Current BIND9 defaults to doing DNSSEC verification. DNSSEC needs large packets. You might have an issue with UDP fragments being dropped at your firewall/NAT Gateway? Thanks for this tip. Looking into it I discovered TCP seems to be recommened for DNSSEC so Ive enabled TCP port 53 and so far not had a problem!
Re: BIND DNS problem after upgrading from Wheezy to Squeeze
Andrew Woodwrote: Hi, > I have a server which acts as a DNS server for our LAN. All our internal > servers have A records on it using a .local domain and it forwards all > other requests out to the root servers using the in built list provided > with BIND. All clients on the LAN have this machine set as their only > DNS server. > > > It has worked fine for 6 years under Wheezy but I have just upgraded it > to Stretch. I did an upgrade to Jessie first, rebooted checked > everything was OK, and then immediately upgraded to Stretch. > > Since then we keep getting intermittent DNS lookup failures for various > domains on the internet, which will typically work if you click the > refresh button in the browser a few times. > > BIND seems to just log to syslog/systemd it doesnt appear to be > configured to use its own log. If I run journalctl -xe | grep "named" I > can get the log entries but none of them relate to the failed DNS > lookup. If I do it immediately after a failure has occured nothing is > logged so Im at a bit of a loss to work out what might be wrong. > > > Does anyone have any ideas please? Current BIND9 defaults to doing DNSSEC verification. DNSSEC needs large packets. You might have an issue with UDP fragments being dropped at your firewall/NAT Gateway? https://www.dns-oarc.net/oarc/services/replysizetest You can try to set edns-udp-size 1200; in your options {} block if you see issues there. Bernhard
Re: BIND DNS problem after upgrading from Wheezy to Squeeze
Andrew W wrote: > > > Does anyone have any ideas please? > I had the same experience - I think (after trying this and that) the solution was ntp (time was behind on the server), but I am not really 100%. I was thinking first it has something to do with ipv6 or firewall, but after updating the time, it disappeared. perhaps it may help in your case to see if you sync up your machine time regards
BIND DNS problem after upgrading from Wheezy to Squeeze
I have a server which acts as a DNS server for our LAN. All our internal servers have A records on it using a .local domain and it forwards all other requests out to the root servers using the in built list provided with BIND. All clients on the LAN have this machine set as their only DNS server. It has worked fine for 6 years under Wheezy but I have just upgraded it to Stretch. I did an upgrade to Jessie first, rebooted checked everything was OK, and then immediately upgraded to Stretch. Since then we keep getting intermittent DNS lookup failures for various domains on the internet, which will typically work if you click the refresh button in the browser a few times. BIND seems to just log to syslog/systemd it doesnt appear to be configured to use its own log. If I run journalctl -xe | grep "named" I can get the log entries but none of them relate to the failed DNS lookup. If I do it immediately after a failure has occured nothing is logged so Im at a bit of a loss to work out what might be wrong. Does anyone have any ideas please? Thanks Andrew PS I should add that as far as I can tell it has never had a problem with resolving our internal .local domain it just seems to be real internet domains its having issues with.
BIND DNS problem after upgrading from Wheezy to Squeeze
I have a server which acts as a DNS server for our LAN. All our internal servers have A records on it using a .local domain and it forwards all other requests out to the root servers using the in built list provided with BIND. All clients on the LAN have this machine set as their only DNS server. It has worked fine for 6 years under Wheezy but I have just upgraded it to Stretch. I did an upgrade to Jessie first, rebooted checked everything was OK, and then immediately upgraded to Stretch. Since then we keep getting intermittent DNS lookup failures for various domains on the internet, which will typically work if you click the refresh button in the browser a few times. BIND seems to just log to syslog/systemd it doesnt appear to be configured to use its own log. If I run journalctl -xe | grep "named" I can get the log entries but none of them relate to the failed DNS lookup. If I do it immediately after a failure has occured nothing is logged so Im at a bit of a loss to work out what might be wrong. Does anyone have any ideas please? Thanks Andrew PS I should add that as far as I can tell it has never had a problem with resolving our internal .local domain it just seems to be real internet domains its having issues with.