Содержание
- bind — DNS format error .
- Bind FORMERR errors in syslog
- 3 Answers 3
- bind9 часть сайтов не видит
- BIND DNS format error: Possible DDoS attack?
- micski
- SirDice
- micski
- SirDice
- covacat
- SirDice
- covacat
- What’s the difference between allow-query-cache and allow-recursion?
bind — DNS format error .
в логах постоянно на каждый запрос:
DNS format error from 194.85.61.20#53 resolving graphics8.nytimes.com/A for client 192.168.0.104#60010: invalid response May 22 16:33:17 srv named[1461]: error (FORMERR) resolving ‘graphics8.nytimes.com/A/IN’: 194.85.61.20#53
bind 9.8 suse12.1
В конфиге named’а в разделе logging<> добавить директиву «category resolver < null; >;» . Ошбки это не убирёт, но сообщения о них должны исчезнуть.
Хотя эти сообщения об ошибках не должны быть уж совсем на каждый запрос.
а в чем причина вобще этих сообщений? т.е. моему серверу не нравится формат ответа от форвардера,, разные версии bind ?
Нет, формат ответа не зависит от версии bind, формат описан в rfc. Обычно дело в кривых настройках серверов, когда на вышестоящем (по доменному имени) сервере указана NX-запись на сервер, который не считает себя ответственным (авторитетным) за эту зону.
В вашем случае с graphics8.nytimes.com, ИМХО, дело обстоит так. graphics8.nytimes.com через CNAME преобразуется в a1116.x.akamai.net. Сервер n0x.akamai.net, отвечающий за зону x.akamai.net на запрос a1116.x.akamai.net даёт ответ, но не авторитетный.
спасибо, вижу ты в форме), напомнишь может быть. как сделать cname вместо обратной записи. поясню, есть случаи когда на ptr запрос получаешь не имя а алиас, вот я и хочу вспомнить как это делается, (нам провайдер дает ип который не имеет ptr)
и ошибки кстати немного остались:
error (FORMERR) resolving ‘ns3.facebook.com/A/IN’: 194.85.61.20#53
error (FORMERR) resolving ‘ns3.facebook.com/AAAA/IN’: 194.85.61.20#53
error (FORMERR) resolving ‘static.ak.fbcdn.net/A/IN’: 194.85.61.20#53
«DNS format error from» — изчез «error (FORMERR) resolving» — остался, и непонятно блин /AAAA/ , если в конфе — listen-on-v6 < none; >;
sorry ,, это у меня с форвардерами проблемка, — вобщем логи щас чистые, спасибо
Запись для ip-адреса (диапазона ip-адресов) в любом разе должен делать провайдер. Просто он может писать PTR-запись, а может CNAME, ведущую на DNS-сервер клиента. Но, совсем без участия DNS-сервера провайдера в обратном преобразовании ip-адреса не обойтись 🙁
Источник
Bind FORMERR errors in syslog
I’ve recently switched out a failed router. and, a while later, I discovered a lot (at least an order or magnitude more than the number of queries) of errors reported in /var/log/syslog — of the form:
It might be relevant that I’ve got the following in bind.conf:
Is this likely an issue with the new router corrupting UDP datagrams, or something else? The new router is an (inexpensive) Netgear WNR854T — it has the latest firmware applied.
Can anyone suggest how best to diagnose this fault if it’s not obvious from the above?
— Additional details — This is a typical response from dig for an address I’m sure should resolve.
3 Answers 3
If you suspect a network element (such as your router) is truncating or corrupting UDP DNS traffic you can try the following:
- Perform the same query, again, with dig and see if you are also getting FORMERR as the response code. Dig (with the right options) will perform similarly to your recursing server but give you more visibility into the process.
- If you are getting FORMERRs with dig, try dig +tcp and see if the error persists (to rule out UDP issues)
- Use Wireshark or another sniffer to capture what is actually being received by your server when it recurses to satisfy a query.
Are all of the FORMERR errors in your log complaining about non-improving referrals? What does dig say is in the «additional» section of the queries that generate these error messages?
Finally, do you have stub zones or forward-first or forward-only zones set up that you haven’t mentioned?
Your DNS traffic may be transparently intercepted, and routed to a caching DNS server and you request answers that cannot be completely answered with brief answers and the caching DNS server gives truncated, rather than minimal answers («minimal-responses yes;»). For example, www.nvidia.com.edgekey.net is resolved via CNAMES and a long list of nameservers, and it complete answer does not fit in a 500
ish byte response. Here are the steps:
- Your BIND makes a non-recursive request to a root server, and expects only authoritative answers (in this case referrals to NS servers responsible for the zone).
- The caching DNS server which answers the intercepted request responds with a non-authoritative but incomplete answer, eg, the exact A record being sought, but with a truncated authority section which does not include the authoritative server for that record. Example (note there is no NS referal for akamaiedge.net):
- Your BIND sees the non-authoritative answer arriving from a supposedly authoritative server (the answer itself includes the NS referrals, so BIND knows the responding server is not authoritative for the A record), and discards the entire response with FORMERR:
The OP question includes an equivalent description of the problem (non-improving NS record == unrelated record in authority section):
- Your BIND then attempts the same non-recursive query to the next root server, and the cycle repeats until there are no more root servers to try, and BIND responds with SERVFAIL to the original recursive query.
Arguably the problem is one or several bugs in BIND itself:
- It checks the consistency of the AUTHORITY section in answers to non-recursive questions, eg, when forwarding a query to an upstream cache. It should not reject inconsistent answers, as they may be caused by valid truncation of long AUTHORITY sections
- When caching, it truncates answers naively. It should truncate more smartly and give AUTHORITY sections that are more useful when truncated, or give minimal answers (no AUTHORITY section) if the truncated AUTHORITY section would not be useful.
- It should default to «minimal-responses yes;» in caching mode.
- It should LOG/report if its authoritative queries are answered by non authoritative server (ie, RD flag unset in sent query, but set in received response), ie, detect and report intercepted DNS traffic.
I should note that queries that can be answered completely in a small packet do not trigger these bugs, and therefore, most DNS queries are resolved correctly.
Possible solutions:
- ask your ISP to add «minimal-responses yes;» to their cache configuration.
- get the ISP to not intercept your DNS, maybe by switching ISPs
- run a different BIND version without the bugs (I don’t know if such a version exists) or a different software.
- route BIND’s upstream queries through a VPN, and around the DNS intercept
Источник
bind9 часть сайтов не видит
неожидано с обеда вдруг получаю, что по части сайтов не может найти ипы, ничего не менял, у провайдера днс сервера отвечают, dig через них проходит, в логах ошибок не вижу, куда искать понять не могу ((
причем иногда ипы выдаются, потом опять пропадает, что это вообще может быть как проверить?
отключил сыпящиеся в логи ошибки
при этом вот отдельное что то получаю
пришлось в resolve.conf добавить еще один nameserver провайдера (раньше был только 127.0.0.1), через этот костыль ентернет работает, но почему бинд не хочет находить и кешировать запросы то.
статистика по рекурсиву адекватная нет?
tcpdump на 53ем порту много всяких IP proxy.domain > .63747: 32620 ServFail 0/0/0 (34)
если и есть криминал какой то то я его не вижу (
Пров с DNS не хулиганит? Коннекты на 53 порт не перехватывает?
у прова как обычно все замечательно, кроме меня проблем ни у кого нет (
нужны пруфы, как их найти!?
Это наверное надо каким-нибудь сниффером смотреть.
смотрел дампом на порту, много мусора, но после рестарта бинда вот такая вот куча запросов, но по факту ответа не приходит
Вот с логами не подскажу. Я этим не занимался.
Если грешишь на провайдера, пропиши в конфиге бинда в качестве форвардов гугловские днс и потестируй. Если будет та же беда — проблема в конфиге или зонах бинда, если нет, нужно копать дальше.
прописал форвардинг днс на 8.8.4.4 и 8.8.8.8 — проблемы нет
самое для меня удивительное, что адрес какой то может не резолвиться, а через какое то время появиться, например http://www.avito.ru не резолвится, а avito.ru норм, бывает что и наоборот и что оба «не отвечают», проверяю после рестарта и флуша
а может просто udp пакеты теряются? хотя пробовал делать диг на один из корневых — ответило нормально.
итак, что установлено достоверно точно, без форвардинга активно валятся ошибки по resolver и lame-servers, на текущее время без форвардинга работает уже больше сайтов чем было, но все еще не все
т.е. без форвардинга на днс провайдера ошибок по resolver и lame-servers почти нет
логи включил на все каналы уже что есть в бинде
Источник
BIND DNS format error: Possible DDoS attack?
micski
I was notified, that a BIND DNS server, which is authorative for a number of domains, is open to abuse for DDoS attacks, targeting other networks. When testing on MX Tool, there is no problems according to the report.
Looking into the logs, there actually is tons of messages about a format error on different unknown IP adresses. I have not been unable to find out, what that error message is about.
The DNS server is authoritative for a number of domains, so I assume, it should be open for queries, but otherwise restricted. Is it possible, that the configuration below can lead to abuse? Keep in mind, that the DNS server is authoritative for a number of domains, and, that it has other primary DNS servers (GratisDNS).
One of the domains:
SirDice
Administrator
micski
SirDice
Administrator
As far as I can tell they’re not successful, but those modified queries are causing errors to be logged. Because BIND does find there’s something wrong with those queries, and it’s warning you about it.
But the best way would be to capture that traffic and analyze it yourself. Then you can try to figure out what they’re actually trying to do.
Reactions: micski
covacat
SirDice
Administrator
covacat
Reactions: micski
What’s the difference between allow-query-cache and allow-recursion?
Reactions: micski
What that notification was talking about were probably DNS reflection/amplification attacks. Those could be carried out on *any* open resolver, as those attacks are using nothing but the desired behaviour of a nameserver: They send hundreds of thousands of (non-resolvable) request from a spoofed source address (=target) via botnets to as many nameservers as possible, so that target gets DDoSed by the millions of error replies frem the nameservers that think this host asked for some non-existent DNS record.
For nameservers that are authorative for a/some zone(s), you usually don’t want them to serve as ‘generic’ nameservers (i.e. recursive resolvers for clients), but *only* serve the zones they are responsible for. This way you can close down that nameserver very tightly and also identify and mitigate attacks relatively easily by blacklisting hosts/IPs that repeatedly send request for zones that the server isn’t responsible for. As a first line of defense you should also always configure rate-limits.
To serve the clients in your networks you usually use separate, internal (caching) resolvers, not the authorative nameservers for your zones.
If you *have* to run an open resolver, you should absolutely have finely tuned rate-limits [1] in place. IIRC from BIND 9.10 onwards rate-limit can be set globally and per view, so you could set higher thresholds for your own networks than for the rest of the world. Usually you don’t need to run an open resolver even if you run big networks and/or public prefixes — so double- and triple-check if you think you *really* need a fully open resolver, because in most cases you were wrong.
Источник
Recently I was configuring Bind 9 on Centos 6.2. The setup was pretty straight forward: caching name server with one authoritative local domain. But the problem was that it was resolving my local authoritative domain but getting SERVFAIL for all external queries! I tried using forwardars, forward only, forward first but nothing helped. «dig @127.0.0.1 yahoo.com» was giving a SERVFAIL and «dig @192.168.1.1 yahoo.com» was working fine.
This problem almost made me crazy and was about to give up on bind until I found the problem. I tried every thing: I was configuring bind on a KVM VM, I thought may be its the Bridge or the KVM’s internal network bug. I tried bind on a physical machine, but the problem was same! I tried it on Fedora 14, same problem! Next I tried it on different versions of bind, but the error was the exact same!
Here are the errors I was getting in the named.run logs:
DNS format error from 128.63.2.53#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving ‘yahoo.com/A/IN’: 128.63.2.53#53
DNS format error from 202.12.27.33#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving ‘yahoo.com/A/IN’: 202.12.27.33#53
DNS format error from 192.5.5.241#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving ‘yahoo.com/A/IN’: 192.5.5.241#53
DNS format error from 192.36.148.17#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving ‘yahoo.com/A/IN’: 192.36.148.17#53
DNS format error from 128.8.10.90#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving ‘yahoo.com/A/IN’: 128.8.10.90#53
DNS format error from 193.0.14.129#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving ‘yahoo.com/A/IN’: 193.0.14.129#53
DNS format error from 192.112.36.4#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving ‘yahoo.com/A/IN’: 192.112.36.4#53
DNS format error from 199.7.83.42#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving ‘yahoo.com/A/IN’: 199.7.83.42#53
DNS format error from 192.33.4.12#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving ‘yahoo.com/A/IN’: 192.33.4.12#53
DNS format error from 192.203.230.10#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving ‘yahoo.com/A/IN’: 192.203.230.10#53
DNS format error from 198.41.0.4#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving ‘yahoo.com/A/IN’: 198.41.0.4#53
DNS format error from 192.228.79.201#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving ‘yahoo.com/A/IN’: 192.228.79.201#53
DNS format error from 192.58.128.30#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving ‘yahoo.com/A/IN’: 192.58.128.30#53
So basically bind was getting a malformed response from all the root level servers it was trying in the hint file named.ca
The Solution:
After enabling the debug mode and monitoring traffic with tcpdump, I found the problem. The culprit was my DSL router (AzTech 605EW). And apparently most home dsl routers will behave abnormally with large udp packets. The large udp packets are because bind uses EDNS when querying other DNS servers.
Adding the following configuration in named.conf disabled edns and solved the problem!
server ::/0 { edns no; };
server 0.0.0.0/0 { edns no; };
Your DNS traffic may be transparently intercepted, and routed to a caching DNS server and you request answers that cannot be completely answered with brief answers and the caching DNS server gives truncated, rather than minimal answers («minimal-responses yes;»). For example, www.nvidia.com.edgekey.net is resolved via CNAMES and a long list of nameservers, and it complete answer does not fit in a 500~ish byte response. Here are the steps:
- Your BIND makes a non-recursive request to a root server, and expects only authoritative answers (in this case referrals to NS servers responsible for the zone).
- The caching DNS server which answers the intercepted request responds with a non-authoritative but incomplete answer, eg, the exact A record being sought, but with a truncated authority section which does not include the authoritative server for that record. Example (note there is no NS referal for akamaiedge.net):
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59893
;; flags: qr rd ra; QUESTION: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 2
;; QUESTION SECTION:
;www.nvidia.com.edgekey.net. IN A
;; ANSWER SECTION:
www.nvidia.com.edgekey.net. 21559 IN CNAME e14462.a.akamaiedge.net.
e14462.a.akamaiedge.net. 19 IN A 184.85.26.247
;; AUTHORITY SECTION:
edgekey.net. 13382 IN NS a18-65.akam.net.
edgekey.net. 13382 IN NS ns5-66.akam.net.
edgekey.net. 13382 IN NS a6-65.akam.net.
edgekey.net. 13382 IN NS ns7-65.akam.net.
edgekey.net. 13382 IN NS a5-65.akam.net.
edgekey.net. 13382 IN NS a13-65.akam.net.
edgekey.net. 13382 IN NS ns1-66.akam.net.
edgekey.net. 13382 IN NS ns4-66.akam.net.
edgekey.net. 13382 IN NS a28-65.akam.net.
edgekey.net. 13382 IN NS adns1.akam.net.
edgekey.net. 13382 IN NS a12-65.akam.net.
edgekey.net. 13382 IN NS usw6.akam.net.
edgekey.net. 13382 IN NS a16-65.akam.net.
;; ADDITIONAL SECTION:
a13-65.akam.net. 11507 IN A 2.22.230.65
adns1.akam.net. 13382 IN A 96.7.50.66
- Your BIND sees the non-authoritative answer arriving from a supposedly authoritative server (the answer itself includes the NS referrals, so BIND knows the responding server is not authoritative for the A record), and discards the entire response with FORMERR:
DNS format error from 192.58.128.30#53 resolving www.nvidia.com.edgekey.net/A for client 127.0.0.1#53636: unrelated A e14462.a.akamaiedge.net in edgekey.net authority section
The OP question includes an equivalent description of the problem (non-improving NS record == unrelated record in authority section):
Mar 18 19:53:20 kenneth named[4022]: DNS format error from 192.112.36.4#53 resolving ./NS: non-improving referral
- Your BIND then attempts the same non-recursive query to the next root server, and the cycle repeats until there are no more root servers to try, and BIND responds with SERVFAIL to the original recursive query.
Arguably the problem is one or several bugs in BIND itself:
- It checks the consistency of the AUTHORITY section in answers to non-recursive questions, eg, when forwarding a query to an upstream cache. It should not reject inconsistent answers, as they may be caused by valid truncation of long AUTHORITY sections
- When caching, it truncates answers naively. It should truncate more smartly and give AUTHORITY sections that are more useful when truncated, or give minimal answers (no AUTHORITY section) if the truncated AUTHORITY section would not be useful.
- It should default to «minimal-responses yes;» in caching mode.
- It should LOG/report if its authoritative queries are answered by non authoritative server (ie, RD flag unset in sent query, but set in received response), ie, detect and report intercepted DNS traffic.
I should note that queries that can be answered completely in a small packet do not trigger these bugs, and therefore, most DNS queries are resolved correctly.
Possible solutions:
- ask your ISP to add «minimal-responses yes;» to their cache configuration.
- get the ISP to not intercept your DNS, maybe by switching ISPs
- run a different BIND version without the bugs (I don’t know if such a version exists) or a different software.
- route BIND’s upstream queries through a VPN, and around the DNS intercept
Здравствуйте!
Недавно решил поднять кэширующий ДНС-сервер. Собственно говоря, по самой процедуре вопросов особых не возникло. На первый взгляд всё заработало. Но есть одна проблема: логи буквально за считаные минуты разрастаются до огромных размеров. И записи в них вот такого содержания:
Код: Выделить всё
error (unexpected RCODE SERVFAIL) resolving '211.70.191.186.IN-ADDR.ARPA/PTR/IN': 170.51.242.18#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 193.104.149.65#53
error (unexpected RCODE REFUSED) resolving '55.186.136.89.in-addr.arpa/PTR/IN': 194.102.255.3#53
error (unexpected RCODE SERVFAIL) resolving 'highschoolemail.com/MX/IN': 64.207.128.246#53
error (unexpected RCODE REFUSED) resolving 'www.realfit.ru/A/IN';: 83.170.91.205#53
error (unexpected RCODE SERVFAIL) resolving '219.247.28.196.IN-ADDR.ARPA/PTR/IN': 66.198.145.99#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 91.210.6.228#53
error (FORMERR) resolving 'u8lafv05630edji3ui4m2muoms.gcdn.biz/AAAA/IN': 94.75.223.25#53
error (unexpected RCODE SERVFAIL) resolving '219.247.28.196.IN-ADDR.ARPA/PTR/IN': 193.50.53.3#53
error (unexpected RCODE REFUSED) resolving '125.64-127.111.23.163.in-addr.arpa/PTR/IN': 163.23.111.65#53
error (unexpected RCODE SERVFAIL) resolving '219.247.28.196.IN-ADDR.ARPA/PTR/IN': 66.198.145.99#53
error (FORMERR) resolving 'u8lafv05630edji3ui4m2muoms.gcdn.biz/AAAA/IN': 188.40.44.206#53
error (unexpected RCODE REFUSED) resolving '200.169.147.120.in-addr.arpa/PTR/IN': 144.135.133.76#53
error (unexpected RCODE SERVFAIL) resolving 'highschoolemail.com/TXT/IN': 64.207.128.246#53
error (unexpected RCODE SERVFAIL) resolving 'www.pink-pelikan.ru/A/IN';: 91.142.81.238#53
error (FORMERR) resolving 'u8lafv05630edji3ui4m2muoms.gcdn.biz/AAAA/IN': 94.75.223.25#53
error (unexpected RCODE REFUSED) resolving '26.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.4#53
error (unexpected RCODE SERVFAIL) resolving '219.247.28.196.IN-ADDR.ARPA/PTR/IN': 193.50.53.3#53
error (FORMERR) resolving 'u8lafv05630edji3ui4m2muoms.gcdn.biz/AAAA/IN': 85.17.79.33#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 91.210.6.228#53
error (unexpected RCODE REFUSED) resolving '4.107.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '4.107.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/MX/IN': 158.43.129.77#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/A/IN': 158.43.193.77#53
error (unexpected RCODE SERVFAIL) resolving 'www.pink-pelikan.ru/A/IN';: 91.142.84.206#53
error (FORMERR) resolving 'u8lafv05630edji3ui4m2muoms.gcdn.biz/AAAA/IN': 85.17.79.33#53
error (unexpected RCODE REFUSED) resolving '219.247.28.196.IN-ADDR.ARPA/PTR/IN': 206.82.130.196#53
error (unexpected RCODE REFUSED) resolving '26.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.1#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 193.104.149.65#53
error (unexpected RCODE REFUSED) resolving '125.64-127.111.23.163.in-addr.arpa/PTR/IN': 163.23.111.65#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '4.107.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '4.107.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 193.104.149.65#53
error (unexpected RCODE REFUSED) resolving '55.186.136.89.in-addr.arpa/PTR/IN': 194.102.255.3#53
error (FORMERR) resolving 'a296759604eedd6537600849db0595f0f7e9f2537b67cbb4.gcdn.biz/AAAA/IN': 94.75.223.25#53
error (FORMERR) resolving 'u8lafv05630edji3ui4m2muoms.gcdn.biz/AAAA/IN': 188.40.44.206#53
error (unexpected RCODE SERVFAIL) resolving '90.53.188.91.in-addr.arpa/PTR/IN': 81.198.180.1#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 91.210.6.228#53
error (unexpected RCODE REFUSED) resolving '76.96.53.92.in-addr.arpa/PTR/IN': 92.53.98.100#53
error (unexpected RCODE REFUSED) resolving '219.247.28.196.IN-ADDR.ARPA/PTR/IN': 206.82.130.196#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (FORMERR) resolving 'a296759604eedd6537600849db0595f0f7e9f2537b67cbb4.gcdn.biz/AAAA/IN': 85.17.79.33#53
error (unexpected RCODE REFUSED) resolving '76.96.53.92.in-addr.arpa/PTR/IN': 92.53.116.200#53
error (unexpected RCODE REFUSED) resolving 'www.7dvd.ru/A/IN';: 89.108.104.3#53
error (unexpected RCODE SERVFAIL) resolving 'www.7dvd.ru/A/IN';: 89.108.64.2#53
error (unexpected RCODE REFUSED) resolving '247.237.38.89.IN-ADDR.ARPA/PTR/IN': 82.79.33.10#53
error (unexpected RCODE SERVFAIL) resolving '90.53.188.91.in-addr.arpa/PTR/IN': 81.198.180.1#53
error (unexpected RCODE SERVFAIL) resolving 'highschoolemail.com/A/IN': 70.32.65.137#53
error (unexpected RCODE SERVFAIL) resolving 'www.pink-pelikan.ru/A/IN';: 91.142.84.206#53
error (FORMERR) resolving 'a296759604eedd6537600849db0595f0f7e9f2537b67cbb4.gcdn.biz/AAAA/IN': 188.40.44.206#53
error (unexpected RCODE REFUSED) resolving '13.145.245.121.IN-ADDR.ARPA/PTR/IN': 202.54.15.30#53
error (unexpected RCODE REFUSED) resolving '140.102.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '224.140.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '94.141.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '94.141.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '140.102.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '224.140.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/TXT/IN': 158.43.129.77#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/MX/IN': 158.43.129.77#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 193.104.149.65#53
error (unexpected RCODE SERVFAIL) resolving 'www.pink-pelikan.ru/A/IN';: 91.142.81.238#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/A/IN': 158.43.193.77#53
error (unexpected RCODE REFUSED) resolving '21.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.1#53
error (unexpected RCODE REFUSED) resolving '19.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.1#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/TXT/IN': 158.43.193.77#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 91.210.6.228#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/MX/IN': 158.43.193.77#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/A/IN': 158.43.129.77#53
error (unexpected RCODE REFUSED) resolving '19.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.4#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/A/IN': 158.43.129.77#53
error (unexpected RCODE REFUSED) resolving '26.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.4#53
error (unexpected RCODE SERVFAIL) resolving 'highschoolemail.com/MX/IN': 64.207.128.246#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/MX/IN': 158.43.129.77#53
error (unexpected RCODE REFUSED) resolving '39.141.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '39.141.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '140.102.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '224.140.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '140.102.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '224.140.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/A/IN': 158.43.193.77#53
error (unexpected RCODE REFUSED) resolving '26.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.1#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 193.104.149.65#53
error (unexpected RCODE SERVFAIL) resolving '32server.bpiconnect.com/A/IN': 217.160.81.164#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 91.210.6.228#53
error (unexpected RCODE REFUSED) resolving 'topya.ru/A/IN': 77.120.107.131#53
error (unexpected RCODE SERVFAIL) resolving 'highschoolemail.com/A/IN': 64.207.128.246#53
error (unexpected RCODE REFUSED) resolving '21.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.1#53
error (unexpected RCODE REFUSED) resolving '19.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.1#53
error (unexpected RCODE SERVFAIL) resolving '32server.bpiconnect.com/A/IN': 217.160.80.164#53
error (unexpected RCODE REFUSED) resolving 'topya.ru/A/IN': 77.120.107.132#53
error (unexpected RCODE REFUSED) resolving '56.143.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '167.102.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '32.100.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '167.102.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '224.140.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '56.143.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '224.140.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '32.100.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '167.102.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '56.143.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '167.102.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '56.143.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE SERVFAIL) resolving 'highschoolemail.com/MX/IN': 70.32.65.137#53
error (unexpected RCODE REFUSED) resolving '21.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.4#53
error (unexpected RCODE REFUSED) resolving '19.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.4#53
error (unexpected RCODE REFUSED) resolving '125.64-127.111.23.163.in-addr.arpa/PTR/IN': 163.23.111.65#53
error (unexpected RCODE SERVFAIL) resolving '211.70.191.186.IN-ADDR.ARPA/PTR/IN': 170.51.242.18#53
И это лишь маленький кусочек лога. Мне пришлось остановить named, дабы он весь винт не забил своими логами…
Вот конфиг:
Код: Выделить всё
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1;
192.168.199.2; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost;
192.168.0.0/16; };
// forwarders { 212.49.118.2;
// 212.49.103.2; };
forwarders { 212.49.103.2;
212.49.118.2; };
recursion yes;
// dnssec-enable yes;
// dnssec-validation yes;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "_msdcs.egarant.local" {
type slave;
file "_msdcs.egarant.local";
masters { 192.168.199.202;
192.168.199.199; };
};
zone "egarant.local" {
type slave;
file "egarant.local";
masters { 192.168.199.202;
192.168.199.199; };
};
zone "_msdcs.egarant1.local" {
type slave;
file "_msdcs.egarant1.local";
masters { 192.168.1.200;
192.168.1.201; };
};
zone "egarant1.local" {
type slave;
file "egarant1.local";
masters { 192.168.1.200;
192.168.1.201; };
};
include "/etc/named.rfc1912.zones";
Ещё я в файл /etc/sysconfig/named добавил вот такую строчку:
OPTIONS=»-4″
Это чтоб он только ай-пишники v4 кэшировал, а v6 пропускал мимо.
Один мой товарищ написал по этому поводу следующее:
Интересная ситуация…
если смотреть ошибку вида:
error (unexpected RCODE REFUSED) resolving ‘55.186.136.89.in-addr.arpa/PTR/IN’: 194.102.255.3#53
она говорит о том, что твой сервак не может получить ответ на запрос от сервера 194.102.255.3. Если пробовать спросить у этого сервера руками — он действительно ничего не отвечает. То есть, строго говоря, ничего криминального в этом нет…
У меня в логах тоже есть такие ошибки, но их число не превышает 1-2-х десятков за сутки.
Мне кажется тут проблему не в named надо искать, а в том, почему он щемится непонятно куда и спрашивает непонятно что… Причем, обрати внимание, что очень много запросов на обратные зоны…
Может у тебя какой сифилис живет, который и лезет везде подряд, просто named его показал лицом?
Постарайся отловить кто шлет все эти запросы…
Вот в связи с этим и вопрос: Как и с помощью чего можно попытаться отследить этот самый «сифилис»? Дело в том, что пока сервер, где установлен Named, никем не используется в качечестве DNS-сервера. Т.е. рабочие станции к нему пока не обращаются с днс-запросами. Неужели что-то непосредственно с самого сервера куда-то ломится?
Помогите понять причину, пожалуйста.
?
Log in
If this type of authorization does not work for you, convert your account using the link
-
-
dil wrote in ru_root February 15 2013, 13:53
dil
ru_root Вчера примерно с 12:32 по 14:25 UTC кэширующий BIND в локальной сети (имеющий только серый адрес и ходящий наружу через NAT) начал массово ругаться в лог вот такими словами:Feb 14 12:32:57 named[1294]: error (network unreachable) resolving 'ns6-129.akadns.net/AAAA/IN': 2001:500:2f::f#53
Feb 14 12:32:57 named[1294]: error (network unreachable) resolving 'ns6-129.akadns.net/AAAA/IN': 2001:7fd::1#53
Feb 14 12:32:57 named[1294]: error (network unreachable) resolving 'ns3.skype.net/AAAA/IN': 2001:7fe::53#53
Feb 14 12:32:57 named[1294]: success resolving 'a1123.g.akamai.net/A' (in 'g.akamai.net'?) after disabling EDNS
Feb 14 12:32:57 named[1294]: DNS format error from 96.7.251.131#53 resolving n0g.akamai.net/AAAA: reply has no answer
Feb 14 12:32:57 named[1294]: error (FORMERR) resolving 'n0g.akamai.net/AAAA/IN': 96.7.251.131#53
Feb 14 12:32:57 named[1294]: DNS format error from 96.7.50.192#53 resolving n1g.akamai.net/AAAA: reply has no answer
Feb 14 12:32:57 named[1294]: error (FORMERR) resolving 'n1g.akamai.net/AAAA/IN': 96.7.50.192#53
Feb 14 12:32:57 named[1294]: DNS format error from 96.7.50.192#53 resolving n2g.akamai.net/AAAA: reply has no answer
Feb 14 12:32:57 named[1294]: error (FORMERR) resolving 'n2g.akamai.net/AAAA/IN': 96.7.50.192#53
Feb 14 12:32:57 named[1294]: DNS format error from 96.7.50.192#53 resolving n3g.akamai.net/AAAA: reply has no answer
Feb 14 12:32:57 named[1294]: error (FORMERR) resolving 'n3g.akamai.net/AAAA/IN': 96.7.50.192#53
Feb 14 12:32:57 named[1294]: DNS format error from 193.108.88.1#53 resolving n5g.akamai.net/AAAA: reply has no answer
Feb 14 12:32:57 named[1294]: error (FORMERR) resolving 'n5g.akamai.net/AAAA/IN': 193.108.88.1#53
Feb 14 12:32:57 named[1294]: DNS format error from 193.108.88.1#53 resolving n1g.akamai.net/AAAA: reply has no answer
Feb 14 12:32:57 named[1294]: error (FORMERR) resolving 'n1g.akamai.net/AAAA/IN': 193.108.88.1#53
Feb 14 12:32:57 named[1294]: DNS format error from 96.17.144.197#53 resolving n6g.akamai.net/AAAA: reply has no answer
Feb 14 12:32:57 named[1294]: DNS format error from 96.7.251.131#53 resolving n3g.akamai.net/AAAA: reply has no answer
Feb 14 12:32:57 named[1294]: error (FORMERR) resolving 'n6g.akamai.net/AAAA/IN': 96.17.144.197#53
Feb 14 12:32:57 named[1294]: error (FORMERR) resolving 'n3g.akamai.net/AAAA/IN': 96.7.251.131#53
Feb 14 12:32:57 named[1294]: DNS format error from 193.108.88.1#53 resolving n2g.akamai.net/AAAA: reply has no answer
Feb 14 12:32:57 named[1294]: DNS format error from 193.108.88.1#53 resolving n0g.akamai.net/AAAA: reply has no answer
Feb 14 12:32:57 named[1294]: error (FORMERR) resolving 'n2g.akamai.net/AAAA/IN': 193.108.88.1#53
Feb 14 12:32:57 named[1294]: error (FORMERR) resolving 'n0g.akamai.net/AAAA/IN': 193.108.88.1#53
Feb 14 12:32:57 named[1294]: DNS format error from 96.7.251.131#53 resolving n5g.akamai.net/AAAA: reply has no answer
Feb 14 12:32:57 named[1294]: DNS format error from 23.62.62.193#53 resolving n1g.akamai.net/AAAA: reply has no answer
Feb 14 12:32:57 named[1294]: error (FORMERR) resolving 'n5g.akamai.net/AAAA/IN': 96.7.251.131#53
Feb 14 12:32:57 named[1294]: error (FORMERR) resolving 'n1g.akamai.net/AAAA/IN': 23.62.62.193#53
Feb 14 12:32:57 named[1294]: DNS format error from 184.26.161.192#53 resolving n3g.akamai.net/AAAA: reply has no answer
Говорят, при этом он ещё генерировал дикое количество трафика наружу, практически забив весь DSL-канал.
Кончилось так же внезапно, как и началось. Что это за DNS format error внезапно?
Gabriele Paggi
unread,
Jun 22, 2012, 1:22:12 PM6/22/12
to bind-…@lists.isc.org
Spain, Dr. Jeffry A.
unread,
Jun 22, 2012, 3:25:09 PM6/22/12
to Gabriele Paggi, bind-…@lists.isc.org
FWIW I’m not able to reproduce this using a BIND 9.9.1-P1 recursive resolver. On this system «dig @localhost vlasext.partners.extranet.microsoft.com a» returns the answer 70.42.230.20 and identifies dns11.one.microsoft.com (94.245.124.49) as one of four authoritative servers. «dig @94.245.124.49 vlasext.partners.extranet.microsoft.com a» also returns the answer 70.42.230.20, but no authority or additional records (except EDNS UDP 4000), and with no AA flag set. On the contrary querying one of my own authoritative servers, also running BIND 9.9.1-P1, for a record for which it is authoritative («dig @ns2.countryday.net countryday.net a») does return the answer along with authority and additional records for the name servers and does have the AA flag set. Finally querying one of my internal Microsoft DNS servers (Windows Server 2008 R2 SP1) for a record for which it is authoritative gives me a correct answer, no authority or additional records (except EDNS UDP 4000), but does have the AA flag set.
> Is it related to the «AA bit strictness»[1] ? 94.245.124.49 is dns11.one.microsoft.com and does indeed reply without setting the AA bit.
> As far as know the ‘strictness’ was removed in P2, correct me if I’m wrong.
I don’t know enough about the history of BIND functionality to answer this. I’m sure others will comment.
>From what I observed I would conclude that dns11.one.microsoft.com is a Windows DNS server since it behaves like mine except for the AA flag not being set in theirs. The missing AA flag and lack of authority and additional records in their response seems like improper behavior to me, but I don’t know whether or not the DNS protocol actually requires this. Apparently BIND 9.9.1-P1 is able to handle this situation.
Hope this is at least somewhat helpful. Jeff.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
Carsten Strotmann (private)
unread,
Jun 23, 2012, 12:17:03 PM6/23/12
to bind-…@lists.isc.org
——BEGIN PGP SIGNED MESSAGE——
Hash: SHA1
Hello Gabriele,
On 6/22/12 11:22 AM, Gabriele Paggi wrote:
> I’m a BIND novice and I’m trying to understand what causes my
> BIND9 resolver (bind97-9.7.0-10.P2) to return an error when queried
> for the A record of vlasext.partners.extranet.microsoft.com:
>
At Men & Mice I’ve investigated this issue a few weeks ago for one of
our customers. At that point of time, we’ve seen NS records with
private addresses:
dig ns partners.extranet.microsoft.com.
; <<>> DiG 9.9.1 <<>> ns partners.extranet.microsoft.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53053
;; flags: qr rd ra; QUERY: 1, ANSWER: 18, AUTHORITY: 0, ADDITIONAL: 19
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;partners.extranet.microsoft.com. IN NS
;; ANSWER SECTION:
partners.extranet.microsoft.com. 2311 IN NS
db3-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
tk5-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
by1-ptnr-dc-03.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
co2-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
co2-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
sinxtdnsz01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
kaw-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
ph1-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
tk5-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
tk5-ptnr-dc-05.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
rno-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
tk5-ptnr-dc-03.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
sin-ptnr-dc-03.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
sin-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
by1-ptnr-dc-04.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
kaw-ptnr-dc-03.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
db3-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
ph1-ptnr-dc-02.partners.extranet.microsoft.com.
;; ADDITIONAL SECTION:
db3-ptnr-dc-01.partners.extranet.microsoft.com. 1406 IN A 10.251.138.15
tk5-ptnr-dc-02.partners.extranet.microsoft.com. 26 IN A 10.251.51.102
by1-ptnr-dc-03.partners.extranet.microsoft.com. 3505 IN A 10.251.94.15
co2-ptnr-dc-02.partners.extranet.microsoft.com. 2941 IN A 10.251.152.89
co2-ptnr-dc-01.partners.extranet.microsoft.com. 2679 IN A 10.251.152.173
sinxtdnsz01.partners.extranet.microsoft.com. 171 IN A 10.251.168.142
kaw-ptnr-dc-02.partners.extranet.microsoft.com. 1101 IN A 10.251.162.20
ph1-ptnr-dc-01.partners.extranet.microsoft.com. 1417 IN A 10.251.26.11
tk5-ptnr-dc-01.partners.extranet.microsoft.com. 2872 IN A 10.251.51.13
tk5-ptnr-dc-05.partners.extranet.microsoft.com. 137 IN A 10.251.52.143
rno-ptnr-dc-01.partners.extranet.microsoft.com. 1375 IN A 10.251.64.113
tk5-ptnr-dc-03.partners.extranet.microsoft.com. 1564 IN A 10.251.52.124
sin-ptnr-dc-03.partners.extranet.microsoft.com. 882 IN A 10.251.168.67
sin-ptnr-dc-02.partners.extranet.microsoft.com. 505 IN A 10.251.169.47
by1-ptnr-dc-04.partners.extranet.microsoft.com. 2270 IN A 10.251.94.16
kaw-ptnr-dc-03.partners.extranet.microsoft.com. 3461 IN A 10.251.162.193
db3-ptnr-dc-02.partners.extranet.microsoft.com. 1690 IN A 10.251.138.59
ph1-ptnr-dc-02.partners.extranet.microsoft.com. 3018 IN A 10.251.26.12
;; Query time: 1314 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 30 18:57:27 2012
;; MSG SIZE rcvd: 867
The issue seem to differ from the point in the network you are sending
the query, and if the resolving DNS server has only IPv4 or is
dual-stack (IPv4 + IPv6). It seems that the resolution is sometimes
broken, but we have not found the root cause of the issue.
This forward zone proved to be an (ugly, but working) workaround:
zone «partners.extranet.microsoft.com» IN {
type forward;
forwarders { 131.107.125.65;
94.245.124.49;
207.46.55.10;
65.55.31.17; };
};
We’ve also informed Microsoft about the issue.
Best regards
Carsten Strotmann
——BEGIN PGP SIGNATURE——
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools — http://gpgtools.org
Comment: Using GnuPG with Mozilla — http://enigmail.mozdev.org/
iEYEARECAAYFAk/le38ACgkQsUJ3c+pomYEwDACgit4MdoFl4rfSCcapx1NMr9cB
1bUAn1QNRM2Gw//EsLYnH1jw1g25IvFl
=hB+P
——END PGP SIGNATURE——
Carsten Strotmann (private)
unread,
Jun 23, 2012, 12:54:35 PM6/23/12
to bind-…@lists.isc.org
——BEGIN PGP SIGNED MESSAGE——
Hash: SHA1
Hello Gabriele,
On 6/22/12 11:22 AM, Gabriele Paggi wrote:
> I’m a BIND novice and I’m trying to understand what causes my
> BIND9 resolver (bind97-9.7.0-10.P2) to return an error when queried
> for the A record of vlasext.partners.extranet.microsoft.com:
about the FORMERR. This might be caused by a Firewall or other
middlebox that truncates the large answer containing the NS record set
for this domain.
I see the same if I try to fetch the delegation NS records from the
parent domain (microsoft.com) for partners.extranet.microsoft.com:
# dig @ns1.msft.net. partners.extranet.microsoft.com ns
; <<>> DiG 9.9.1-P1 <<>> ns @ns1.msft.net. partners.extranet.microsoft.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 30679
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; Query time: 167 msec
;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1)
;; WHEN: Sat Jun 23 10:47:33 2012
;; MSG SIZE rcvd: 60
If some other members of this mailing list also see the same FORMERR
(I’m seeing it over IPv4+IPv6), that is is very likely a firewall or
middlebox on the Microsoft side.
iEYEARECAAYFAk/lhEsACgkQsUJ3c+pomYE8RwCgldVhiIiwuavJGy0VEQAbek5M
d7sAoKg1ny9dN6UMhuXyF1a6diylGyzz
=+PcU
——END PGP SIGNATURE——
Gabriele Paggi
unread,
Jun 24, 2012, 7:58:25 AM6/24/12
to bind-…@lists.isc.org
Gabriele Paggi
unread,
Jun 24, 2012, 8:10:21 AM6/24/12
to bind-…@lists.isc.org
Hello Carsten,
> At Men& Mice I’ve investigated this issue a few weeks ago for one of
> our customers. At that point of time, we’ve seen NS records with
> private addresses:
That’s interesting but it still doesn’t explain why BIND reports a
format error in the reply it receives.
The reply is nonsense but it’s legit and BIND should just return it. Am
I wrong?
Beside that, I’ve been constantly getting a FORMERR reply for a week now.
> The issue seem to differ from the point in the network you are sending
> the query, and if the resolving DNS server has only IPv4 or is
> dual-stack (IPv4 + IPv6). It seems that the resolution is sometimes
> broken, but we have not found the root cause of the issue.
I’m running with only IPv4. May I ask you which version of BIND are you
running?
Jeffry is not able to reproduce the issue using BIND 9.9.1-P1 and I
might consider an upgrade.
> We’ve also informed Microsoft about the issue.
I know what the answer is but I’ll ask anyway: did you ever get a reply
/ acknowledgement from them?
Thanks!
Gabriele
Gabriele Paggi
unread,
Jun 24, 2012, 8:14:58 AM6/24/12
to bind-…@lists.isc.org
Hello Jeffry,
> FWIW I’m not able to reproduce this using a BIND 9.9.1-P1 recursive resolver. On this system «dig @localhost vlasext.partners.extranet.microsoft.com a» returns the answer 70.42.230.20 and identifies dns11.one.microsoft.com (94.245.124.49) as one of four authoritative servers. «dig @94.245.124.49 vlasext.partners.extranet.microsoft.com a» also returns the answer 70.42.230.20, but no authority or additional records (except EDNS UDP 4000), and with no AA flag set. On the contrary querying one of my own authoritative servers, also running BIND 9.9.1-P1, for a record for which it is authoritative («dig @ns2.countryday.net countryday.net a») does return the answer along with authority and additional records for the name servers and does have the AA flag set. Finally querying one of my internal Microsoft DNS servers (Windows Server 2008 R2 SP1) for a record for which it is authoritative gives me a correct answer, no authority or additional records (except EDNS UDP 4000), but does have the AA flag set.
Thanks. At least I know an upgrade would fix the issue although I still
don’t know what and where the problem is (Microsoft DNS reply? BIND?).
> From what I observed I would conclude that dns11.one.microsoft.com is a Windows DNS server since it behaves like mine except for the AA flag not being set in theirs. The missing AA flag and lack of authority and additional records in their response seems like improper behavior to me, but I don’t know whether or not the DNS protocol actually requires this. Apparently BIND 9.9.1-P1 is able to handle this situation.
I kind of assumed Microsoft would have been running a Windows DNS for
their domains 
Gabriele
Carsten Strotmann (private)
unread,
Jun 24, 2012, 11:45:34 AM6/24/12
to Gabriele Paggi, bind-…@lists.isc.org
——BEGIN PGP SIGNED MESSAGE——
Hash: SHA1
Hello Gabriele,
On 6/24/12 5:57 AM, Gabriele Paggi wrote:
> Hello Carsten,
>
> Thanks for your reply!
>> about the FORMERR. This might be caused by a Firewall or other
>> middlebox that truncates the large answer containing the NS
>> record set for this domain.
>>
>> I see the same if I try to fetch the delegation NS records from
>> the parent domain (microsoft.com) for
>> partners.extranet.microsoft.com:
> That doesn’t explain why I get a correct reply to my query if I use
> a Windows DNS or one of the Google DNS (what software do they run?)
> or my home ISP DNS (UPC, Netherlands).
what we see is that we get different responses for the NS record set
for «partners.extranet.microsoft.com»:
1) a list of 4 NS records (dns10/11/12/13.one.microsoft.com) with
public route-able IPv4 addresses, answer size is around 200 byte
2) a list of 18 NS records
(xxxx-ptnr-dc-02.partners.extranet.microsoft.com.) with private RFC
1918 addresses and an answer size of above 800 byte. These are
internal domain controllers.
The answer size of 800 bytes can create the FORMERR issue.
I’m using BIND 9.9.1(-P1) and Unbound 1.4.17 here. Today I’m getting
answer type 1) from my home and also from a machine in the datacenter,
yesterday I’m seen answer type 2) and the FORMERR.
The FORMERR I’m seeing is also quite odd, as it has the «AD» flag set,
which should normally not appear in an error type of response, but
might be caused by a mangled DNS packet:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 30679
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
I have no explanation of this issue at the moment.
To my knowledge Google is using a homegrown DNS resolver, not BIND.
iEYEARECAAYFAk/mxZ4ACgkQsUJ3c+pomYHc6QCfeONcluurcPOX4dMqMWDm4pnf
SlgAnAxlJ1UQRSdE+WgN28RYVBmo/N03
=DT/n
——END PGP SIGNATURE——
Carsten Strotmann (private)
unread,
Jun 24, 2012, 12:07:00 PM6/24/12
to bind-…@lists.isc.org
——BEGIN PGP SIGNED MESSAGE——
Hash: SHA1
Hello Jeffry,
On 6/22/12 1:25 PM, Spain, Dr. Jeffry A. wrote:
> From what I observed I would conclude that dns11.one.microsoft.com
> is a Windows DNS server since it behaves like mine except for the
> AA flag not being set in theirs.
It might even be a new Windows 2012 DNS server, and it might be an
issue with this new version. This is just speculation, but if it is an
issue with Windows 2012 DNS, it might be good to be able to isolate
that issue soon (so that it can be fixed before Windows 2012 is released).
> The missing AA flag and lack of authority and additional records in
> their response seems like improper behavior to me, but I don’t know
> whether or not the DNS protocol actually requires this. Apparently
> BIND 9.9.1-P1 is able to handle this situation.
my BIND 9.9.1-P1 showed FORMERR yesterday, but shows the same good
answers that you report today.
What is see today when I send a direct query to
dns10.one.microsoft.com. (or dns11/12/13) is that both AA
(Authoritative Answer) and AD (Authenticated Data) flags are set, but
the zone does not seem to be DNSSEC signed (no RRSIGs, no DNSKEY):
bash-3.2# dig partners.extranet.microsoft.com. IN NS
@dns11.one.microsoft.com. +dnssec
; <<>> DiG 9.9.1-P1 <<>> partners.extranet.microsoft.com. IN NS
@dns11.one.microsoft.com. +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40230
;; flags: qr aa ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0
partners.extranet.microsoft.com. 10 IN NS dns11.one.microsoft.com.
partners.extranet.microsoft.com. 10 IN NS dns10.one.microsoft.com.
partners.extranet.microsoft.com. 10 IN NS dns13.one.microsoft.com.
partners.extranet.microsoft.com. 10 IN NS dns12.one.microsoft.com.
dns11.one.microsoft.com. 10 IN A 94.245.124.49
dns10.one.microsoft.com. 10 IN A 131.107.125.65
dns13.one.microsoft.com. 10 IN A 65.55.31.17
dns12.one.microsoft.com. 10 IN A 207.46.55.10
;; Query time: 37 msec
;; SERVER: 94.245.124.49#53(94.245.124.49)
;; WHEN: Sun Jun 24 10:00:54 2012
;; MSG SIZE rcvd: 228
Having AD-Flag set on an non-DNSSEC zone might be a protocol
violation, and that might be the cause of FORMERR.
iEYEARECAAYFAk/myqQACgkQsUJ3c+pomYGzyQCdF6q+TeWUmA4TWYgiOn6pA0ha
HHgAn2Amo54kuiNEIJ4hU1kXOwjnY7Pb
=7x6l
——END PGP SIGNATURE——
Carsten Strotmann (private)
unread,
Jun 24, 2012, 12:56:10 PM6/24/12
to bind-…@lists.isc.org
——BEGIN PGP SIGNED MESSAGE——
Hash: SHA1
Hello,
On 6/24/12 10:07 AM, Carsten Strotmann (private) wrote:
> It might even be a new Windows 2012 DNS server, and it might be an
> issue with this new version. This is just speculation, but if it is
> an issue with Windows 2012 DNS, it might be good to be able to
> isolate that issue soon (so that it can be fixed before Windows
> 2012 is released).
I did some tests with the release candidate version of Windows 2012,
and I could not reproduce the error. Windows 2012 internal version
number is 6.2 (6.2.8400) and it does not implement the «version.bind»
request (returns a NOTIMPL error).
However the dns11.one.microsoft.com DNS server returns
bash-3.2# dig @94.245.124.49 txt ch version.bind
;; Warning: query response not set
;; Warning: Message parser reports malformed message packet.
; <<>> DiG 9.9.1-P1 <<>> @94.245.124.49 txt ch version.bind
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11512
;; flags: aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 1476526080 IN TXT «Microsoft DNS
6.1.7601 (1DB14556)»
;; Query time: 36 msec
;; SERVER: 94.245.124.49#53(94.245.124.49)
;; WHEN: Sun Jun 24 10:26:11 2012
;; MSG SIZE rcvd: 76
which is
Version Product Milestone Service branch
6.1.7600.16xxx Windows Server 2008 R2 RTM GDR
I’m now setting up a Windows 2008R2 DNS Server with the latest patches
in the test lab to see if I can recreate the issue.
iEYEARECAAYFAk/m1ioACgkQsUJ3c+pomYEXWQCfYge8Sjqa4YIhztZLZt5Z9PRp
WuYAnjxfbhVJPRm9y31CKPiO/7wCp/fv
=oS8C
——END PGP SIGNATURE——
Tony Finch
unread,
Jun 25, 2012, 3:54:29 PM6/25/12
to Gabriele Paggi, bind-…@lists.isc.org
It looks to me like this is an EDNS bug. I am querying the authoritative
server directly, with no firewalls in the way. The FORMERR is coming from
the authoritative server not from BIND. I get the same result over IPv4
and IPv6.
They also have a bug in their NXDOMAIN logic: extranet.microsoft.com
does not exist therefore partners.extranet.microsoft.com cannot exist.
; <<>> DiG 9.9.1-P1 <<>> +noedns @ns1.msft.net. partners.extranet.microsoft.com ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9931
;; flags: qr rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;; ADDITIONAL SECTION:
;; Query time: 159 msec
;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1)
;; WHEN: Mon Jun 25 12:38:51 2012
;; MSG SIZE rcvd: 197
; <<>> DiG 9.9.1-P1 <<>> +edns=0 @ns1.msft.net. partners.extranet.microsoft.com ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 20875
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; Query time: 142 msec
;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1)
;; WHEN: Mon Jun 25 12:38:57 2012
;; MSG SIZE rcvd: 60
; <<>> DiG 9.9.1-P1 <<>> +noedns @ns1.msft.net extranet.microsoft.com ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 141
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;extranet.microsoft.com. IN NS
;; AUTHORITY SECTION:
microsoft.com. 3600 IN SOA ns1.msft.net.
msnhst.microsoft.com. 2012062205 300 600 2419200 3600
;; Query time: 142 msec
;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1)
;; WHEN: Mon Jun 25 12:44:44 2012
;; MSG SIZE rcvd: 95
Tony.
—
f.anthony.n.finch <d…@dotat.at> http://dotat.at/
Sole, Lundy, Fastnet: Southeast at first in Lundy and Fastnet, otherwise
southwest, 4 or 5. Slight or moderate, occasionally rough in west Sole.
Occasional rain or drizzle, fog patches. Moderate, occasionally very poor.
Tony Finch
unread,
Jun 25, 2012, 3:57:43 PM6/25/12
to Carsten Strotmann (private), bind-…@lists.isc.org
Carsten Strotmann (private) <c…@strotmann.de> wrote:
>
> The FORMERR I’m seeing is also quite odd, as it has the «AD» flag set,
> which should normally not appear in an error type of response, but
> might be caused by a mangled DNS packet:
I think it is echoing the AD bit in the query.
; <<>> DiG 9.9.1-P1 <<>> +noad +qr @ns1.msft.net. partners.extranet.microsoft.com ns
; (2 servers found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3331
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 3331
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;partners.extranet.microsoft.com. IN NS
;; Query time: 142 msec
;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1)
;; WHEN: Mon Jun 25 12:57:06 2012
;; MSG SIZE rcvd: 60
; <<>> DiG 9.9.1-P1 <<>> +qr @ns1.msft.net. partners.extranet.microsoft.com ns
; (2 servers found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21060
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 21060
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;partners.extranet.microsoft.com. IN NS
;; Query time: 142 msec
;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1)
;; WHEN: Mon Jun 25 12:56:22 2012
;; MSG SIZE rcvd: 60
Dogger: Northwest 5 or 6 becoming variable 3 or 4. Moderate, becoming slight
in west. Showers. Moderate or good.
Sam Wilson
unread,
Jun 25, 2012, 7:21:07 PM6/25/12
to comp-protoc…@isc.org
Gabriele Paggi
unread,
Jun 26, 2012, 4:55:44 PM6/26/12
to comp-protoc…@isc.org
Hello Sam,
> There’s some kind of delegation bug as well. If I query
> dns1[0-3].one.microsoft.com for SOA and NS for
> partners.extranet.microsoft.com you get sensible answers though the
> origin host is different for each server queried and those origins are
> privately addressed.
Which kind of misconfiguration could lead to SOA records for hosts on
the internet to be privately addressed?
Misconfigured split horizon server?
[…]
What do you mean with «authority for zero-answer responses»?
What is the normal authority response I should get when querying for
non-existent records?
I’m trying a few third level domains (e.g. fabric.readthedocs.org) and
I most of the time get as authority section the SOA for the second
level domain (readthedocs.org).
Thanks!
> It’s all rather horrible.
I concur!
Gabriele
Sam Wilson
unread,
Jun 26, 2012, 5:47:52 PM6/26/12
to comp-protoc…@isc.org
In article <mailman.1143.1340715…@lists.isc.org>,
Gabriele Paggi <gabrie…@gmail.com> wrote:
> Hello Sam,
>
> > There’s some kind of delegation bug as well. If I query
> > dns1[0-3].one.microsoft.com for SOA and NS for
> > partners.extranet.microsoft.com you get sensible answers though the
> > origin host is different for each server queried and those origins are
> > privately addressed.
>
> Which kind of misconfiguration could lead to SOA records for hosts on
> the internet to be privately addressed?
> Misconfigured split horizon server?
It’s not difficult for private addresses to escape. It need not actually
be a problem. It’s not necessarily a problem here but it does make it
difficult to work out what’s going on.
For a NXDOMAIN response, or NOERROR with an empty answer section, the
server should provide the SOA record in the authority section. That SOA
is the apex of the zone which doesn’t contain the answer record you
asked for, if you see what I mean. The server is proving that it has
authority to tell you that the information doesn’t exist.
The fact that looking for nonexistent data for
vlasext.partners.extranet.microsoft.com returns the
partners.extranet.microsoft.com SOA record shows that the vlasext
subdomain has not been delegated. The servers should therefore be able
to offer an authoritative answer for data that does exist for
vlasext.etc… but they don’t.
> I’m trying a few third level domains (e.g. fabric.readthedocs.org) and
> I most of the time get as authority section the SOA for the second
> level domain (readthedocs.org).
>
> Thanks!
dig <domain> +trace will also (normally) show you how the tree is
delegated, though it doesn’t print out the SOA records. Try
www.automation.ucs.ed.ac.uk.
> > It’s all rather horrible.
>
> I concur!
Barry Margolin
unread,
Jun 26, 2012, 6:09:44 PM6/26/12
to comp-protoc…@isc.org
In article <mailman.1144.1340718…@lists.isc.org>,
Sam Wilson <Sam.W…@ed.ac.uk> wrote:
> For a NXDOMAIN response, or NOERROR with an empty answer section, the
> server should provide the SOA record in the authority section. That SOA
> is the apex of the zone which doesn’t contain the answer record you
> asked for, if you see what I mean. The server is proving that it has
> authority to tell you that the information doesn’t exist.
More important, the SOA record contains the TTL that should be used for
the negative cache entry.
This type of inconsistency often suggests a DNS-based load balancer is
involved.
—
Barry Margolin
Arlington, MA
Sam Wilson
unread,
Jun 27, 2012, 1:23:03 PM6/27/12
to comp-protoc…@isc.org
In article <mailman.1145.1340719…@lists.isc.org>,
Barry Margolin <bar…@alum.mit.edu> wrote:
> In article <mailman.1144.1340718…@lists.isc.org>,
> Sam Wilson <Sam.W…@ed.ac.uk> wrote:
>
> > For a NXDOMAIN response, or NOERROR with an empty answer section, the
> > server should provide the SOA record in the authority section. That SOA
> > is the apex of the zone which doesn’t contain the answer record you
> > asked for, if you see what I mean. The server is proving that it has
> > authority to tell you that the information doesn’t exist.
>
> More important, the SOA record contains the TTL that should be used for
> the negative cache entry.
More important for the operation of the DNS, but I’d think less
important from the point of view of manual debugging, like we’re doing
here.
> > The fact that looking for nonexistent data for
> > vlasext.partners.extranet.microsoft.com returns the
> > partners.extranet.microsoft.com SOA record shows that the vlasext
> > subdomain has not been delegated. The servers should therefore be able
> > to offer an authoritative answer for data that does exist for
> > vlasext.etc… but they don’t.
>
> This type of inconsistency often suggests a DNS-based load balancer is
> involved.
I wondered that but it’s not consistent with earlier results in the
thread which suggested Windows DNS server for at least one of them. An
old version of fpdns (someone might like to try a newer one) concurs:
$ for i in 0 1 2 3 ; do fpdns dns1$i.one.microsoft.com ; done
fingerprint (dns10.one.microsoft.com, 131.107.125.65): Microsoft
Windows 2003
fingerprint (dns11.one.microsoft.com, 94.245.124.49): Microsoft
Windows 2003
fingerprint (dns12.one.microsoft.com, 207.46.55.10): Microsoft
Windows 2003
fingerprint (dns13.one.microsoft.com, 65.55.31.17): Microsoft
Windows 2003
$ fpdns -v
fpdns.pl version 0.9.1