[dns-operations] Odd Results/Activity

Jon Eckerle Jon.Eckerle at cio.idaho.gov
Mon Sep 29 22:18:02 UTC 2014


   Sorry if this seems longish but, I'd rather give you all I can think of that might help than to leave you wondering what I'm talking about.

   We are having a problem getting DNS recursive resolutions for seecurestate.com domain names, specifically mystate.securestate.com.

   I should mention here that, at present, this is the only domain we are having issues with.

   When we issue a DNS query from any of our four BIND 9.9.4-P2 recursive servers, which are inside of our network, for the mystate.securestate.com domain, we consistently get a SERVFAIL response.

   When we issue a DNS query specifically for the SOA Name servers' A records, we get a SERVFAIL response.

   In trying to figure out what might be going on, I found through outside resolvers the names (four) and IP Addresses (four each for 16 total) of the SOA servers for the securestate.com domain.

   When we issue a DNS query specifically against an IP Address of one of the SOA servers for securestate.com, for its own name, we get a NOERROR response with no data.

   When we use other DNS resolvers, outside of our network, they seem to be resolving just fine.

   I've included the various flavors of dig queries and the meat of our named.conf file.

   Since our customers, or one of them, see a SERVEFAIL it, of course, just has to be our DNS servers' fault so, any ideas or hints will be greatly appreciated.

   When I try a basic dig, I get:

dig mystate.securestate.com

; <<>> DiG 9.9.4-P2 <<>> mystate.securestate.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39627
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;securestate.com.               IN      A

;; Query time: 2993 msec
;; SERVER: 164.165.147.231#53(164.165.147.231)
;; WHEN: Mon Sep 29 15:59:14 MDT 2014
;; MSG SIZE  rcvd: 44

   If I try a dig +trace, I get:

dig +trace mystate.securestate.com

; <<>> DiG 9.9.4-P2 <<>> +trace mystate.securestate.com
;; global options: +cmd
.                       83701   IN      NS      e.root-servers.net.
.                       83701   IN      NS      f.root-servers.net.
.                       83701   IN      NS      i.root-servers.net.
.                       83701   IN      NS      m.root-servers.net.
.                       83701   IN      NS      d.root-servers.net.
.                       83701   IN      NS      h.root-servers.net.
.                       83701   IN      NS      b.root-servers.net.
.                       83701   IN      NS      j.root-servers.net.
.                       83701   IN      NS      k.root-servers.net.
.                       83701   IN      NS      c.root-servers.net.
.                       83701   IN      NS      l.root-servers.net.
.                       83701   IN      NS      a.root-servers.net.
.                       83701   IN      NS      g.root-servers.net.
.                       84848   IN      RRSIG   NS 8 0 518400 20141006170000 20140929160000 8230 . hJNK+x67Ai+uAd34igab0odq4vISCMZEwDbopatCxN2/AzKDdkYsCYoE hfQv8/yYaMR15v0WSYXQomGF66bA6dXe2lzCKEALmkkgy0TTp4xkbTC7 QarlfKJhVwg4TlowxQ5o94ZwYi+6uWXoOM0r6CfdhEFCm8WgZrLd65F1 oTo=
;; Received 913 bytes from 164.165.147.231#53(164.165.147.231) in 589 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20141006170000 20140929160000 8230 . OuUj3aWJQOMDLAO5i33XuhfZNJvjqjbIa6L7Q8rzlXNag153/G0Z6MI3 /1QubWOH9iJVjZLEJhoB7LI5kPEHLo2Hde5iYPCuDGbFbYI7pXSqwTfT VPgquQGpkgRDeFFM0JHt/qud5fUz5PNsv4QA57vJAJU/n9U72to5dtMm tjM=
;; Received 747 bytes from 199.7.83.42#53(l.root-servers.net) in 1176 ms

securestate.com.        172800  IN      NS      ns5.gi.net.
securestate.com.        172800  IN      NS      ns6.gi.net.
securestate.com.        172800  IN      NS      ns7.gi.net.
securestate.com.        172800  IN      NS      ns8.gi.net.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0QFMDQRCSRU0651QLVA1JQB21IF7UR NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20141004044954 20140927033954 6122 com. zVV+Rlagl8V4U36B36XISeL4D652mt25miImUk4gmRotumeuX4EENG99 AEcNhKuP6SSzRa2Zx3uTgHMGlugSISDd4gwQEPb8tckKjQhzuEFucek2 IklgGEs4zKXW5BzVLNo+RZ/ARuuXm/G4PEHWxTm1sAf4HrWTbtMZ3o53 rj4=
PFP6JL7O9OUUBU0U0OHIOD8RQEQAULG3.com. 86400 IN NSEC3 1 1 0 - PFPAGH2299I07EHT4G9EC1S03HUET784 NS DS RRSIG
PFP6JL7O9OUUBU0U0OHIOD8RQEQAULG3.com. 86400 IN RRSIG NSEC3 8 2 86400 20141006043024 20140929032024 6122 com. X62NE0ptCBOBwvbGLO517nIqLthVeQrpEZRcHebfRbfyrx4Bwrx7NoPx 2zRVDgtSAN6hTVWHyX+qgFKqGl7w59fL7nhFL718i8sMkaKpPxgyN+60 eLwC0lzMXoPv9od7Odl3/z91d9VwLpFhCTDK7PurOIcfLI0qv9vr03vE 2yQ=
dig: couldn't get address for 'ns5.gi.net': no more

   If I try a query specifically against the IP Address advertised as SOA for this domain (ns5.gi.net - 50.23.136.173), I get a resolution:

dig @50.23.136.173 mystate.securestate.com

; <<>> DiG 9.9.4-P2 <<>> @50.23.136.173 mystate.securestate.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19186
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mystate.securestate.com.       IN      A

;; ANSWER SECTION:
mystate.securestate.com. 14400  IN      A       98.103.44.125

;; Query time: 27 msec
;; SERVER: 50.23.136.173#53(50.23.136.173)
;; WHEN: Mon Sep 29 16:05:31 MDT 2014
;; MSG SIZE  rcvd: 57

   However, if I try a dig against any IP Address for the host record of the server associated with that specific IP Address (50.23.136.173 - ns5.gi.net) I get:

dig @50.23.136.173 ns5.gi.net

; <<>> DiG 9.9.4-P2 <<>> @50.23.136.173 ns5.gi.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25692
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns5.gi.net.                    IN      A

;; Query time: 20 msec
;; SERVER: 50.23.136.173#53(50.23.136.173)
;; WHEN: Mon Sep 29 16:09:28 MDT 2014
;; MSG SIZE  rcvd: 28 

   Here is my named.conf file:

acl "state-network" {
    164.165.0.0/16; 192.102.16.0/24; 192.207.45.0/24;
    };

acl "labor-network" {
    204.144.104.0/24;
    };

acl "access-idaho" {
    206.81.140.0/25; 63.226.87.146/29;
    };

acl "internal-nat" {
    10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
    };

options {
        directory       "/conf";
        pid-file        "/var/run/named.pid";
        statistics-file "/var/run/named.stats";
        dump-file       "/var/run/named.db";
        version         "[secured]";
        hostname        "[secured]";
        dnssec-enable yes;
        dnssec-validation auto;
        recursion yes;
        allow-update { none; };
        allow-notify { 164.165.207.44; };
        allow-query { state-network; labor-network; internal-nat; };
        allow-query-cache { state-network; labor-network; internal-nat; };
        transfer-format many-answers;
        max-transfer-time-in 60;
        max-cache-ttl 86400;
        max-ncache-ttl 600;
        max-cache-size 50M;
};

zone "." {
        type   hint;
        file   "db.rootcache";
};

zone    "localhost" {
        type    master;
        file   "db.localhost";
        notify  no;
};

zone    "0.0.127.in-addr.arpa" {
        type   master;
        file   "db.127.0.0";
        notify no;
};


Jon Eckerle - Hostmaster
Idaho Office of the Chief Information Officer
650 West State Street
Boise, Idaho 83720

Certified DNS Associate
Certified DNSSEC Expert
hostmaster at idaho.gov
jon.eckerle at cio.idaho.gov
(208) 332-1803





More information about the dns-operations mailing list