Re: BIND DNS problem after upgrading from Wheezy to Squeeze

2017-12-30 Thread Bernhard Schmidt 
Pascal Hambourg  wrote:
> Le 29/12/2017 à 18:27, Andrew W a écrit :
>> 
>> On 27/12/2017 13:18, Bernhard Schmidt wrote:
>>> Current BIND9 defaults to doing DNSSEC verification. DNSSEC needs large
>>> packets. You might have an issue with UDP fragments being dropped at
>>> your firewall/NAT Gateway?
>>>
>> Thanks for this tip. Looking into it I discovered TCP seems to be 
>> recommened for DNSSEC so Ive enabled TCP port 53  and so far not had a 
>> problem!
>
> AFAIK TCP is just a fall-back transport to work around UDP packet size 
> issues. Compared to UDP, TCP transport for DNS wastes system and network 
> resources.

Yes and no. For a single query, UDP is indeed more efficient. You can
have long-standing TCP connections though (multiple queries through the
same TCP channel, sometimes used between Client and Resolver, optionally
with TLS), UDP > 1400 Bytes (Fragments) is often blocked by Firewalls or
misconfigured links, and due to the possibility of spoofing in UDP
(reflexive DDoS) some authoritative servers force clients to use TCP
(i.e. RRL or DNS COOKIE).

IOW, if you block TCP outbound for your resolver, you are asking for
trouble.

Bernhard

Re: BIND DNS problem after upgrading from Wheezy to Squeeze

2017-12-29 Thread Pascal Hambourg 

Le 29/12/2017 à 18:27, Andrew W a écrit :


On 27/12/2017 13:18, Bernhard Schmidt wrote:

Current BIND9 defaults to doing DNSSEC verification. DNSSEC needs large
packets. You might have an issue with UDP fragments being dropped at
your firewall/NAT Gateway?

Thanks for this tip. Looking into it I discovered TCP seems to be 
recommened for DNSSEC so Ive enabled TCP port 53  and so far not had a 
problem!


AFAIK TCP is just a fall-back transport to work around UDP packet size 
issues. Compared to UDP, TCP transport for DNS wastes system and network 
resources.

Re: BIND DNS problem after upgrading from Wheezy to Squeeze

2017-12-29 Thread Andrew W 



On 27/12/2017 13:18, Bernhard Schmidt wrote:

Current BIND9 defaults to doing DNSSEC verification. DNSSEC needs large
packets. You might have an issue with UDP fragments being dropped at
your firewall/NAT Gateway?


Thanks for this tip. Looking into it I discovered TCP seems to be 
recommened for DNSSEC so Ive enabled TCP port 53  and so far not had a 
problem!

Re: BIND DNS problem after upgrading from Wheezy to Squeeze

2017-12-27 Thread Bernhard Schmidt 
Andrew Wood  wrote:

Hi,

> I have a server which acts as a DNS server for our LAN. All our internal 
> servers have A records on it using a .local domain and it forwards all 
> other requests out to the root servers using the in built list provided 
> with BIND. All clients on the LAN have this machine set as their only 
> DNS server.
>
>
> It has worked fine for 6 years under Wheezy but I have just upgraded it 
> to Stretch. I did an upgrade to Jessie first, rebooted checked 
> everything was OK, and then immediately upgraded to Stretch.
>
> Since then we keep getting intermittent DNS lookup failures for various 
> domains on the internet, which will typically work if you click the 
> refresh button in the browser a few times.
>
> BIND seems to just log to syslog/systemd it doesnt appear to be 
> configured to use its own log. If I run journalctl -xe | grep "named" I 
> can get the log entries but none of them relate to the failed DNS 
> lookup. If I do it immediately after a failure has occured nothing is 
> logged so Im at a bit of a loss to work out what might be wrong.
>
>
> Does anyone have any ideas please?

Current BIND9 defaults to doing DNSSEC verification. DNSSEC needs large
packets. You might have an issue with UDP fragments being dropped at
your firewall/NAT Gateway?

https://www.dns-oarc.net/oarc/services/replysizetest

You can try to set 

edns-udp-size 1200;

in your options {} block if you see issues there.

Bernhard

Re: BIND DNS problem after upgrading from Wheezy to Squeeze

2017-12-26 Thread deloptes 
Andrew W wrote:


> 
> 
> Does anyone have any ideas please?
> 

I had the same experience - I think (after trying this and that) the
solution was ntp (time was behind on the server), but I am not really 100%.
I was thinking first it has something to do with ipv6 or firewall, but after
updating the time, it disappeared.

perhaps it may help in your case to see if you sync up your machine time

regards

BIND DNS problem after upgrading from Wheezy to Squeeze

2017-12-26 Thread Andrew Wood 
I have a server which acts as a DNS server for our LAN. All our internal 
servers have A records on it using a .local domain and it forwards all 
other requests out to the root servers using the in built list provided 
with BIND. All clients on the LAN have this machine set as their only 
DNS server.



It has worked fine for 6 years under Wheezy but I have just upgraded it 
to Stretch. I did an upgrade to Jessie first, rebooted checked 
everything was OK, and then immediately upgraded to Stretch.


Since then we keep getting intermittent DNS lookup failures for various 
domains on the internet, which will typically work if you click the 
refresh button in the browser a few times.


BIND seems to just log to syslog/systemd it doesnt appear to be 
configured to use its own log. If I run journalctl -xe | grep "named" I 
can get the log entries but none of them relate to the failed DNS 
lookup. If I do it immediately after a failure has occured nothing is 
logged so Im at a bit of a loss to work out what might be wrong.



Does anyone have any ideas please?


Thanks

Andrew

PS I should add that as far as I can tell it has never had a problem 
with resolving our internal .local domain it just seems to be real 
internet domains its having issues with.

BIND DNS problem after upgrading from Wheezy to Squeeze

2017-12-26 Thread Andrew W 
I have a server which acts as a DNS server for our LAN. All our internal 
servers have A records on it using a .local domain and it forwards all 
other requests out to the root servers using the in built list provided 
with BIND. All clients on the LAN have this machine set as their only 
DNS server.



It has worked fine for 6 years under Wheezy but I have just upgraded it 
to Stretch. I did an upgrade to Jessie first, rebooted checked 
everything was OK, and then immediately upgraded to Stretch.


Since then we keep getting intermittent DNS lookup failures for various 
domains on the internet, which will typically work if you click the 
refresh button in the browser a few times.


BIND seems to just log to syslog/systemd it doesnt appear to be 
configured to use its own log. If I run journalctl -xe | grep "named" I 
can get the log entries but none of them relate to the failed DNS 
lookup. If I do it immediately after a failure has occured nothing is 
logged so Im at a bit of a loss to work out what might be wrong.



Does anyone have any ideas please?


Thanks

Andrew

PS I should add that as far as I can tell it has never had a problem 
with resolving our internal .local domain it just seems to be real 
internet domains its having issues with.