BIND 9 recursive queries returning SERVFAIL for 'legit' domain

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

BIND 9 recursive queries returning SERVFAIL for 'legit' domain

Ian Springett

Hi

I have an issue with BIND 9.14.11 and recursive queries to one particular domain. DIG result is SERVFAIL and ‘bad cookie’ is logged in /var/log/messages & /var/log/named.run

 

The domain has two DNS servers behind a load balancer which is causing the bad cookie result. Would this in itself be enough to cause the SERVFAIL and if so is there a way to have exceptions for known ‘good’ domains?

Rgds

Ian

 

Ian Springett

Hosted Services Engineer

cid:image001.png@01D3BA19.8A53C1D0

Giacom World Networks Ltd

Tel: 0845 305 5577

Fax: 01482 330194

Email: [hidden email]

Website: www.giacom.com

 

IMPORTANT:

Legally privileged/confidential information may be contained in this message. If you are not the addressee(s) legally indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet e-mail messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.

Please note that neither my employer nor I accept any responsibility for viruses and it is your responsibility to scan attachments (if any). This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify me by returning the email.

 

Giacom World Networks Limited, Company No 03813447 Registered in England & Wales, Registered Office:  Bridge Haven One, Saxon Way, Priory Park, Hessle, East Yorkshire  HU13 9PG.

 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: BIND 9 recursive queries returning SERVFAIL for 'legit' domain

Ondřej Surý
Hi Ian,

the first thing you should do is to contact the zone owner to fix their nameservers/load-balancer. The zone/domain might be “legit”, but its nameservers are violating the DNS protocol. Maybe you won’t have to maintain a list of exceptions.

If that doesn’t work, this is the configuration option you are looking for: https://bind9.readthedocs.io/en/latest/reference.html?highlight=Cookie#server-statement-grammar

Ondrej
--
Ondřej Surý — ISC

On 17 Jun 2020, at 17:22, Ian Springett <[hidden email]> wrote:



Hi

I have an issue with BIND 9.14.11 and recursive queries to one particular domain. DIG result is SERVFAIL and ‘bad cookie’ is logged in /var/log/messages & /var/log/named.run

 

The domain has two DNS servers behind a load balancer which is causing the bad cookie result. Would this in itself be enough to cause the SERVFAIL and if so is there a way to have exceptions for known ‘good’ domains?

Rgds

Ian

 

Ian Springett

Hosted Services Engineer

<image001.png>

Giacom World Networks Ltd

Tel: 0845 305 5577

Fax: 01482 330194

Email: [hidden email]

Website: www.giacom.com

 

IMPORTANT:

Legally privileged/confidential information may be contained in this message. If you are not the addressee(s) legally indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet e-mail messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.

Please note that neither my employer nor I accept any responsibility for viruses and it is your responsibility to scan attachments (if any). This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify me by returning the email.

 

Giacom World Networks Limited, Company No 03813447 Registered in England & Wales, Registered Office:  Bridge Haven One, Saxon Way, Priory Park, Hessle, East Yorkshire  HU13 9PG.

 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: BIND 9 recursive queries returning SERVFAIL for 'legit' domain

Mark Andrews
In reply to this post by Ian Springett


> On 17 Jun 2020, at 18:45, Ian Springett <[hidden email]> wrote:
>
> Hi
> I have an issue with BIND 9.14.11 and recursive queries to one particular domain. DIG result is SERVFAIL and ‘bad cookie’ is logged in /var/log/messages & /var/log/named.run
>  
> The domain has two DNS servers behind a load balancer which is causing the bad cookie result. Would this in itself be enough to cause the SERVFAIL and if so is there a way to have exceptions for known ‘good’ domains?
> Rgds
> Ian

Load balancers shouldn’t cause “bad cookie” (client cookie component not echoed back in the cookie response) as apposed to the BADCOOKIE rcode which can be caused by misconfigured shared secrets.  Named will handle the BADCOOKIE rcode switching to TCP if necessary.  “bad cookie” indicates a botched DNS COOKIE implementation in the server, a broken full answer cache mechanism that hasn’t considered that EDNS options modify responses, or someone is attempting to spoof a reply and is including a DNS COOKIE (named assumes this is the case and waits for the legitimate).

Ondrej’s suggestions are the way to go here.

> Ian Springett
> Hosted Services Engineer
> <image001.png>
> Giacom World Networks Ltd
> Tel: 0845 305 5577
> Fax: 01482 330194
> Email: [hidden email]
> Website: www.giacom.com
>  
> IMPORTANT:
> Legally privileged/confidential information may be contained in this message. If you are not the addressee(s) legally indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet e-mail messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.
> Please note that neither my employer nor I accept any responsibility for viruses and it is your responsibility to scan attachments (if any). This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify me by returning the email.
>  
> Giacom World Networks Limited, Company No 03813447 Registered in England & Wales, Registered Office:  Bridge Haven One, Saxon Way, Priory Park, Hessle, East Yorkshire  HU13 9PG.
>  
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users