The DNS server at 119.29.29.29 is broken. It does not implement EDNS (RFC 6891)
correctly. Some of the errors may be due to a misconfigured firewall in front
of
the server. This is the section of RFC 6891 the server is not following and it
is designed to allow clients to use options the server does not know about which
allows new options to be deployed without causing problems. The same with
ignoring
unknown options in responses.
Any OPTION-CODE values not understood by a responder or requestor
MUST be ignored. Specifications of such options might wish to
include some kind of signaled acknowledgement. For example, an
option specification might say that if a responder sees and supports
option XYZ, it MUST include option XYZ in its response.
The server is echoing back the unknown option "; COOKIE: 45aac8f8acbe209c
(echoed)”.
If DNS COOKIE is not supported this should not be present in the response and if
DNS COOKIE is implemented then a server cookie should also be present in the
response.
It is not ignoring an unknown option 100 when they are added to the request.
The
request is being dropped.
It is not responding to requests that happen to have both a client and server
cookie present. The expected response if DNS COOKIE is supported is BADCOOKIE,
as this example has a server cookie that did not come from the server being
queried, if DNS COOKIE is supported or no COOKIE option if it is not supported.
Complain to qq.com that they are running non-compliant DNS servers and are
breaking
DNS interoperability. You can workaround the issue by telling named to not
send DNS
COOKIES in its requests.
e.g.
server 119.29.29.29 { send-cookie false; };
Mark
% dig www.qq.com @119.29.29.29 +norec
; <<>> DiG 9.19.6-dev <<>> www.qq.com @119.29.29.29 +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53841
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 45aac8f8acbe209c (echoed)
;; QUESTION SECTION:
;www.qq.com. IN A
;; ANSWER SECTION:
www.qq.com. 60 IN CNAME
ins-r23tsuuf.ias.tencent-cloud.net.
ins-r23tsuuf.ias.tencent-cloud.net. 88 IN A 121.14.77.221
ins-r23tsuuf.ias.tencent-cloud.net. 88 IN A 121.14.77.201
;; Query time: 209 msec
;; SERVER: 119.29.29.29#53(119.29.29.29) (UDP)
;; WHEN: Fri Dec 02 15:15:39 AEDT 2022
;; MSG SIZE rcvd: 131
% dig www.qq.com @119.29.29.29 +norec +qr +ednsopt=100
; <<>> DiG 9.19.6-dev <<>> www.qq.com @119.29.29.29 +norec +qr +ednsopt=100
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32627
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0322cb71fefb91f7
; OPT=100:
;; QUESTION SECTION:
;www.qq.com. IN A
;; QUERY SIZE: 55
;; communications error to 119.29.29.29#53: timed out
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32627
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0322cb71fefb91f7
; OPT=100:
;; QUESTION SECTION:
;www.qq.com. IN A
;; QUERY SIZE: 55
;; communications error to 119.29.29.29#53: timed out
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32627
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0322cb71fefb91f7
; OPT=100:
;; QUESTION SECTION:
;www.qq.com. IN A
;; QUERY SIZE: 55
;; communications error to 119.29.29.29#53: timed out
;; no servers could be reached
% dig www.qq.com @119.29.29.29 +norec +qr
+cookie=57dc9aec153f36470100000063897e4ed466568c4ab8742a
; <<>> DiG 9.19.6-dev <<>> www.qq.com @119.29.29.29 +norec +qr
+cookie=57dc9aec153f36470100000063897e4ed466568c4ab8742a
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54256
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 57dc9aec153f36470100000063897e4ed466568c4ab8742a
;; QUESTION SECTION:
;www.qq.com. IN A
;; QUERY SIZE: 67
;; communications error to 119.29.29.29#53: timed out
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54256
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 57dc9aec153f36470100000063897e4ed466568c4ab8742a
;; QUESTION SECTION:
;www.qq.com. IN A
;; QUERY SIZE: 67
;; communications error to 119.29.29.29#53: timed out
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54256
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 57dc9aec153f36470100000063897e4ed466568c4ab8742a
;; QUESTION SECTION:
;www.qq.com. IN A
;; QUERY SIZE: 67
;; communications error to 119.29.29.29#53: timed out
;; no servers could be reached
%
> On 2 Dec 2022, at 14:52, 张星 <zhangxing...@163.com> wrote:
>
> 'servfail' exception occurs after BIND runs for a period of time, restart
> bind :servfail does not appear
>
> but,After running for some time, it still had the same 'servfail' problem
>
>
>
> #./sbin/named -V
> BIND 9.11.5 (Extended Support Version) <id:3b0b204>
> running on Linux x86_64 3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4 15:04:05
> UTC 2017
> built by make with '--prefix=/home/bind/' '--enable-filter-aaaa'
> '--with-tuning=large' '--enable-largefile' '--enable-threads'
> compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-28)
> compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
> linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
> compiled with zlib version: 1.2.7
> linked to zlib version: 1.2.7
> threads support is enabled
>
>
>
>
>
>
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
