[dns-operations] A strange DNS problem (intermittent SERVFAILs)

Matthew Richardson matthew-l at itconsult.co.uk
Sat May 30 17:15:23 UTC 2020


Dear Stephane,

Whilst I have not got an answer, I have managed to get an example of a
failure using Cloudflare:-

>; <<>> DiG 9.11.19 <<>> @1.1.1.1 banquepopulaire.fr ns
>; (1 server found)
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41975
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 1452
>;; QUESTION SECTION:
>;banquepopulaire.fr.            IN      NS
>
>;; Query time: 14 msec
>;; SERVER: 1.1.1.1#53(1.1.1.1)
>;; WHEN: Sat May 30 18:02:59 BST 2020
>;; MSG SIZE  rcvd: 47

and thereafter:-

>; <<>> DiG 9.11.19 <<>> @1.1.1.1 www.banquepopulaire.fr
>; (1 server found)
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53725
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 1452
>;; QUESTION SECTION:
>;www.banquepopulaire.fr.                IN      A
>
>;; Query time: 4148 msec
>;; SERVER: 1.1.1.1#53(1.1.1.1)
>;; WHEN: Sat May 30 18:03:21 BST 2020
>;; MSG SIZE  rcvd: 51

I wonder whether the first one (SERVFAIL for NS) is a clue.  bcpe.fr is
delegated to the same servers which do not answer NS queries.  Thus, NS
RRSET is only available from the parent (.fr) and not the child.  Maybe
this upsets child-centric resolvers.

I am just guessing though...

The whole thing is très mauvaise pratique as reported, all the more so for
a bank!

Best wishes,
Matthew

 ------
>From: Stephane Bortzmeyer <bortzmeyer at nic.fr>
>To: DNS Operations List <dns-operations at dns-oarc.net>
>Cc: 
>Date: Sat, 30 May 2020 18:09:24 +0200
>Subject: [dns-operations] A strange DNS problem (intermittent SERVFAILs)

>Several users on Twitter reported problems accessing Banque Populaire
>(a French bank) https://www.banquepopulaire.fr
>https://www.ibps.loirelyonnais.banquepopulaire.fr
>https://www.ibps.bpaca.banquepopulaire.fr
>https://www.ibps.mediterranee.banquepopulaire.fr/
>
>From the limited reports, all errors point to a DNS issue. (For one
>user, adding the IP address in /etc/hosts solved the problem.)
>
>But testing with existing resolvers and with the RIPE Atlas probes do
>not show a widespread outage.
>
>The existing DNS configuration is clearly very questionable, such as a
>zone delegated to just one name server, and a broken one, replying
>REFUSED for NS and SOA queries.
>
>The question is "how did this incorrect setup can produce *sometimes*
>a resolution failure?"
>
>Details in french, plus dig outputs (not in french) are at
><http://shaarli.guiguishow.info/?F7a6EA>.
>
>_______________________________________________
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list