[dns-operations] A strange DNS problem (intermittent SERVFAILs)
Florian Weimer
fw at deneb.enyo.de
Sat May 30 16:48:53 UTC 2020
* Stephane Bortzmeyer:
> Several users on Twitter reported problems accessing Banque Populaire
> (a French bank) https://www.banquepopulaire.fr
> https://www.ibps.loirelyonnais.banquepopulaire.fr
> https://www.ibps.bpaca.banquepopulaire.fr
> https://www.ibps.mediterranee.banquepopulaire.fr/
>
> From the limited reports, all errors point to a DNS issue. (For one
> user, adding the IP address in /etc/hosts solved the problem.)
>
> But testing with existing resolvers and with the RIPE Atlas probes do
> not show a widespread outage.
I can reproduce this to some extent:
$ dig +norecurse +dnssec @nsisp1.i-bp.banquepopulaire.fr. www.banquepopulaire.fr. MX
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> +norecurse +dnssec @nsisp1.i-bp.banquepopulaire.fr. www.banquepopulaire.fr. MX
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 59096
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.banquepopulaire.fr. IN MX
;; Query time: 41 msec
;; SERVER: 91.135.182.250#53(91.135.182.250)
;; WHEN: Sat May 30 18:36:35 CEST 2020
;; MSG SIZE rcvd: 51
$ dig +norecurse +dnssec @nsisp1.i-bp.banquepopulaire.fr. www.banquepopulaire.fr. TYPE1000
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> +norecurse +dnssec @nsisp1.i-bp.banquepopulaire.fr. www.banquepopulaire.fr. TYPE1000
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
A recursive resolver will turn these responses into SERVFAILs.
I suspect this can cause resolvers to cache bad server reachability
information, leading to name resolution error for A and AAAA queries
as well.
Or it could just be a client that uses RFC 2782:
$ dig +norecurse +dnssec @nsisp1.i-bp.banquepopulaire.fr. _http._tcp.www.ibps.loirelyonnais.banquepopulaire.fr SRV
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> +norecurse +dnssec @nsisp1.i-bp.banquepopulaire.fr. _http._tcp.www.ibps.loirelyonnais.banquepopulaire.fr SRV
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 49919
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_http._tcp.www.ibps.loirelyonnais.banquepopulaire.fr. IN SRV
;; Query time: 39 msec
;; SERVER: 91.135.182.250#53(91.135.182.250)
;; WHEN: Sat May 30 18:47:02 CEST 2020
;; MSG SIZE rcvd: 81
More information about the dns-operations
mailing list