On 16/06/19 14:31, Mark Andrews wrote:
No.  Treating no response as anything other than packet loss leads to lookups 
failing when it is packet loss.

That makes sense - thank you



Mark

-- Mark Andrews
On 16 Jun 2019, at 23:10, Sebastian Arcus<s.ar...@open-t.co.uk>  wrote:


On 16/06/19 12:37, Mark Andrews wrote:
The servers for this zone are broken, they do not respond to queries with DNS
COOKIE options present.  You can add server options to named.conf to work around
this while Barclays fix their servers / firewalls.  Modern recursive servers are
no longer working around broken servers that do not respond to queries.  See
DNS flag day.  It looks like Barclays ignored the messages.
e.g.    server 157.83.102.245 { send-cookie false; };
Thank you for that - that is very helpful. Is there a named.conf option to 
leave the cookie support turned on, but for Bind to retry a query without 
cookies if it fails with cookies attached?



% dig federate-secure.glbaa.barclays.com @ns21.barclays.com +nocookie
; <<>> DiG 9.15.0 <<>> federate-secure.glbaa.barclays.com @ns21.barclays.com 
+nocookie
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47102
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;federate-secure.glbaa.barclays.com. IN    A
;; ANSWER SECTION:
federate-secure.glbaa.barclays.com. 30 IN A    157.83.96.50
;; Query time: 491 msec
;; SERVER: 157.83.102.245#53()
;; WHEN: Sun Jun 16 21:03:48 AEST 2019
;; MSG SIZE  rcvd: 79
% dig federate-secure.glbaa.barclays.com @ns21.barclays.com
; <<>> DiG 9.15.0 <<>> federate-secure.glbaa.barclays.com @ns21.barclays.com
;; global options: +cmd
;; connection timed out; no servers could be reached
%
On 16 Jun 2019, at 6:43 pm, Sebastian Arcus<s.ar...@open-t.co.uk>  wrote:

I have discovered Friday that the following domain used by Barclays bank in UK 
doesn't resolve properly - but only on some of my servers running Bind:

federate-secure.glbaa.barclays.com

It works on a server with v9.12.3, but it fails on a server with v9.11.0 and 
another one with v9.14.2. However, I don't think that the Bind version has 
anything to do with it. All servers are recursive servers.

It also resolves fine if I point to Google dns servers.

I've ran tests on the domain above using the MX Toolbox dns checker 
(mxtoolbox.com), and it fails with the following errors:

3  ns22.barclays.net  157.83.102.246  TIMED-OUT  518 ms  , rcode=NO_DATA
3  ns21.barclays.com  157.83.102.245  TIMED-OUT  509 ms  , rcode=NO_DATA
3  ns23.barclays.com  157.83.126.245  TIMED-OUT  504 ms  , rcode=NO_DATA
3  ns24.barclays.net  157.83.126.246  TIMED-OUT  517 ms  , rcode=NO_DATA

I've had to temporarily disable and bypass the local Bind instance on this 
server and point to Google dns, as users couldn't use online banking from 
Barclays because of the issue above.

Does anybody have any idea why would it work on some servers and with Google 
dns, but not on other servers with Bind? Also, would someone mind trying to 
resolve the above domain at their end and see if they get the same errors 
please.

Any suggestions appreciated. Thank you.
_______________________________________________
Please visithttps://lists.isc.org/mailman/listinfo/bind-users  to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visithttps://lists.isc.org/mailman/listinfo/bind-users  to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visithttps://lists.isc.org/mailman/listinfo/bind-users  to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to