The DNS server at 119.29.29.29 is broken. It does not implement EDNS (RFC 6891) correctly. Some of the errors may be due to a misconfigured firewall in front of the server. This is the section of RFC 6891 the server is not following and it is designed to allow clients to use options the server does not know about which allows new options to be deployed without causing problems. The same with ignoring unknown options in responses.
Any OPTION-CODE values not understood by a responder or requestor MUST be ignored. Specifications of such options might wish to include some kind of signaled acknowledgement. For example, an option specification might say that if a responder sees and supports option XYZ, it MUST include option XYZ in its response. The server is echoing back the unknown option "; COOKIE: 45aac8f8acbe209c (echoed)”. If DNS COOKIE is not supported this should not be present in the response and if DNS COOKIE is implemented then a server cookie should also be present in the response. It is not ignoring an unknown option 100 when they are added to the request. The request is being dropped. It is not responding to requests that happen to have both a client and server cookie present. The expected response if DNS COOKIE is supported is BADCOOKIE, as this example has a server cookie that did not come from the server being queried, if DNS COOKIE is supported or no COOKIE option if it is not supported. Complain to qq.com that they are running non-compliant DNS servers and are breaking DNS interoperability. You can workaround the issue by telling named to not send DNS COOKIES in its requests. e.g. server 119.29.29.29 { send-cookie false; }; Mark % dig www.qq.com @119.29.29.29 +norec ; <<>> DiG 9.19.6-dev <<>> www.qq.com @119.29.29.29 +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53841 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 45aac8f8acbe209c (echoed) ;; QUESTION SECTION: ;www.qq.com. IN A ;; ANSWER SECTION: www.qq.com. 60 IN CNAME ins-r23tsuuf.ias.tencent-cloud.net. ins-r23tsuuf.ias.tencent-cloud.net. 88 IN A 121.14.77.221 ins-r23tsuuf.ias.tencent-cloud.net. 88 IN A 121.14.77.201 ;; Query time: 209 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) (UDP) ;; WHEN: Fri Dec 02 15:15:39 AEDT 2022 ;; MSG SIZE rcvd: 131 % dig www.qq.com @119.29.29.29 +norec +qr +ednsopt=100 ; <<>> DiG 9.19.6-dev <<>> www.qq.com @119.29.29.29 +norec +qr +ednsopt=100 ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32627 ;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 0322cb71fefb91f7 ; OPT=100: ;; QUESTION SECTION: ;www.qq.com. IN A ;; QUERY SIZE: 55 ;; communications error to 119.29.29.29#53: timed out ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32627 ;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 0322cb71fefb91f7 ; OPT=100: ;; QUESTION SECTION: ;www.qq.com. IN A ;; QUERY SIZE: 55 ;; communications error to 119.29.29.29#53: timed out ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32627 ;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 0322cb71fefb91f7 ; OPT=100: ;; QUESTION SECTION: ;www.qq.com. IN A ;; QUERY SIZE: 55 ;; communications error to 119.29.29.29#53: timed out ;; no servers could be reached % dig www.qq.com @119.29.29.29 +norec +qr +cookie=57dc9aec153f36470100000063897e4ed466568c4ab8742a ; <<>> DiG 9.19.6-dev <<>> www.qq.com @119.29.29.29 +norec +qr +cookie=57dc9aec153f36470100000063897e4ed466568c4ab8742a ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54256 ;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 57dc9aec153f36470100000063897e4ed466568c4ab8742a ;; QUESTION SECTION: ;www.qq.com. IN A ;; QUERY SIZE: 67 ;; communications error to 119.29.29.29#53: timed out ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54256 ;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 57dc9aec153f36470100000063897e4ed466568c4ab8742a ;; QUESTION SECTION: ;www.qq.com. IN A ;; QUERY SIZE: 67 ;; communications error to 119.29.29.29#53: timed out ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54256 ;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 57dc9aec153f36470100000063897e4ed466568c4ab8742a ;; QUESTION SECTION: ;www.qq.com. IN A ;; QUERY SIZE: 67 ;; communications error to 119.29.29.29#53: timed out ;; no servers could be reached % > On 2 Dec 2022, at 14:52, 张星 <zhangxing...@163.com> wrote: > > 'servfail' exception occurs after BIND runs for a period of time, restart > bind :servfail does not appear > > but,After running for some time, it still had the same 'servfail' problem > > > > #./sbin/named -V > BIND 9.11.5 (Extended Support Version) <id:3b0b204> > running on Linux x86_64 3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4 15:04:05 > UTC 2017 > built by make with '--prefix=/home/bind/' '--enable-filter-aaaa' > '--with-tuning=large' '--enable-largefile' '--enable-threads' > compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-28) > compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017 > linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017 > compiled with zlib version: 1.2.7 > linked to zlib version: 1.2.7 > threads support is enabled > > > > > > > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users