The servers for this zone are broken, they do not respond to queries with DNS COOKIE options present. You can add server options to named.conf to work around this while Barclays fix their servers / firewalls. Modern recursive servers are no longer working around broken servers that do not respond to queries. See DNS flag day. It looks like Barclays ignored the messages.
e.g. server 157.83.102.245 { send-cookie false; }; % dig federate-secure.glbaa.barclays.com @ns21.barclays.com +nocookie ; <<>> DiG 9.15.0 <<>> federate-secure.glbaa.barclays.com @ns21.barclays.com +nocookie ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47102 ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;federate-secure.glbaa.barclays.com. IN A ;; ANSWER SECTION: federate-secure.glbaa.barclays.com. 30 IN A 157.83.96.50 ;; Query time: 491 msec ;; SERVER: 157.83.102.245#53() ;; WHEN: Sun Jun 16 21:03:48 AEST 2019 ;; MSG SIZE rcvd: 79 % dig federate-secure.glbaa.barclays.com @ns21.barclays.com ; <<>> DiG 9.15.0 <<>> federate-secure.glbaa.barclays.com @ns21.barclays.com ;; global options: +cmd ;; connection timed out; no servers could be reached % > On 16 Jun 2019, at 6:43 pm, Sebastian Arcus <s.ar...@open-t.co.uk> wrote: > > I have discovered Friday that the following domain used by Barclays bank in > UK doesn't resolve properly - but only on some of my servers running Bind: > > federate-secure.glbaa.barclays.com > > It works on a server with v9.12.3, but it fails on a server with v9.11.0 and > another one with v9.14.2. However, I don't think that the Bind version has > anything to do with it. All servers are recursive servers. > > It also resolves fine if I point to Google dns servers. > > I've ran tests on the domain above using the MX Toolbox dns checker > (mxtoolbox.com), and it fails with the following errors: > > 3 ns22.barclays.net 157.83.102.246 TIMED-OUT 518 ms , rcode=NO_DATA > 3 ns21.barclays.com 157.83.102.245 TIMED-OUT 509 ms , rcode=NO_DATA > 3 ns23.barclays.com 157.83.126.245 TIMED-OUT 504 ms , rcode=NO_DATA > 3 ns24.barclays.net 157.83.126.246 TIMED-OUT 517 ms , rcode=NO_DATA > > I've had to temporarily disable and bypass the local Bind instance on this > server and point to Google dns, as users couldn't use online banking from > Barclays because of the issue above. > > Does anybody have any idea why would it work on some servers and with Google > dns, but not on other servers with Bind? Also, would someone mind trying to > resolve the above domain at their end and see if they get the same errors > please. > > Any suggestions appreciated. Thank you. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users