You are running into query limits (max-recursion-queries). Named prefers IPv6
when both
IPv4 and IPv6 servers are available (see v6-bias) but you don’t have a working
IPv6 link
to the rest of the world and those query attempts each uses one of the
available queries.
Some ISP’s seem to think that it is still "reasonable" to not provide IPv6 on
links by default
20+ years into the deployment of IPv6 despite most/all your equipment
supporting IPv6 and
attempting to use it all the time. Additionally most sites are IPv6 capable
this includes
nameservers. Everything people do on the Internet is happening slower if you
use one of
these ISPs because all the equipment is designed to prefer IPv6 so people can
determine when
it is safe to turn off IPv4.
Setting v6-bias to 0 will help some as will increasing max-recursion-queries to
account for
those failed DNS lookups over IPv6. 'named -4' will also work but you won’t
have any IPv6
recursive DNS servers nor be able to reach internal IPv6 servers. The best
thing would be
to get your ISP to turn on IPv6 so that everything you have works faster as it
doesn’t have
to try IPv6 then fall back to IPv6. They have sat on their hands for 20 years
while everyone
else has enabled IPv6 on their equipment.
Mark
> On 26 Nov 2024, at 10:24, The Gorf <thegorf+bind9us...@gmail.com> wrote:
>
> On a 9.20 server that is a resolver only, I have a mystery. This is running
> out of the official docker. I have a fleet of these and there is nothing
> special about them. But I have a trouble child that provides no explanation
> as to why it fails a query every now and then when none of the other
> instances do. First I discover that a domain is failing, and I check it
> manually:
>
> $ host americanautowire.com 192.168.8.12
> Using domain server:
> Name: 192.168.8.12
> Address: 192.168.8.12#53
> Aliases:
>
> Host americanautowire.com not found: 2(SERVFAIL)
>
> Yes, that is indeed failing. So this problem child has been running with the
> following log configuration:
>
> ########### named.conf:
> http local {
> endpoints { "/dns-query"; };
> };
>
> options {
> directory "/var/cache/bind";
>
> listen-on { any; };
> listen-on-v6 { any; };
> listen-on tls ephemeral { any; };
> listen-on-v6 tls ephemeral { any; };
> listen-on tls ephemeral http local { any; };
> listen-on-v6 tls ephemeral http local { any; };
> };
>
> logging {
> channel default_file {
> file "/var/log/bind/bind.log" size 10m;
> severity debug;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> category default{ default_file; };
> };
> ########### named.conf:
>
> and the log it produces for the query is simply this:
>
> 25-Nov-2024 23:01:56.703 resolver: debug 1: fetch: americanautowire.com/A
> 25-Nov-2024 23:01:56.703 resolver: debug 1: fetch: com/NS
> 25-Nov-2024 23:01:56.703 lame-servers: info: network unreachable resolving
> 'com/NS/IN': 2001:500:2d::d#53
> 25-Nov-2024 23:01:56.703 lame-servers: info: network unreachable resolving
> 'com/NS/IN': 2001:500:2::c#53
> 25-Nov-2024 23:01:56.703 lame-servers: info: network unreachable resolving
> 'com/NS/IN': 2801:1b8:10::b#53
> 25-Nov-2024 23:01:56.703 lame-servers: info: network unreachable resolving
> 'com/NS/IN': 2001:500:a8::e#53
> 25-Nov-2024 23:01:56.703 lame-servers: info: network unreachable resolving
> 'com/NS/IN': 2001:500:2f::f#53
> 25-Nov-2024 23:01:56.703 lame-servers: info: network unreachable resolving
> 'com/NS/IN': 2001:dc3::35#53
> 25-Nov-2024 23:01:56.703 lame-servers: info: network unreachable resolving
> 'com/NS/IN': 2001:7fd::1#53
> 25-Nov-2024 23:01:56.703 lame-servers: info: network unreachable resolving
> 'com/NS/IN': 2001:500:9f::42#53
> 25-Nov-2024 23:01:56.703 lame-servers: info: network unreachable resolving
> 'com/NS/IN': 2001:503:ba3e::2:30#53
> 25-Nov-2024 23:01:56.703 lame-servers: info: network unreachable resolving
> 'com/NS/IN': 2001:7fe::53#53
> 25-Nov-2024 23:01:56.703 lame-servers: info: network unreachable resolving
> 'com/NS/IN': 2001:503:c27::2:30#53
> 25-Nov-2024 23:01:56.703 lame-servers: info: network unreachable resolving
> 'com/NS/IN': 2001:500:12::d0d#53
> 25-Nov-2024 23:01:56.703 lame-servers: info: network unreachable resolving
> 'com/NS/IN': 2001:500:1::53#53
> 25-Nov-2024 23:01:56.731 lame-servers: info: network unreachable resolving
> 'americanautowire.com/A/IN': 2001:503:a83e::2:30#53
> 25-Nov-2024 23:01:56.731 lame-servers: info: network unreachable resolving
> 'americanautowire.com/A/IN': 2001:502:8cc::30#53
> 25-Nov-2024 23:01:56.731 lame-servers: info: network unreachable resolving
> 'americanautowire.com/A/IN': 2001:502:1ca1::30#53
> 25-Nov-2024 23:01:56.731 lame-servers: info: network unreachable resolving
> 'americanautowire.com/A/IN': 2001:502:7094::30#53
> 25-Nov-2024 23:01:56.731 lame-servers: info: network unreachable resolving
> 'americanautowire.com/A/IN': 2001:503:d2d::30#53
> 25-Nov-2024 23:01:56.731 lame-servers: info: network unreachable resolving
> 'americanautowire.com/A/IN': 2001:503:eea3::30#53
> 25-Nov-2024 23:01:56.731 lame-servers: info: network unreachable resolving
> 'americanautowire.com/A/IN': 2001:503:231d::2:30#53
> 25-Nov-2024 23:01:56.731 lame-servers: info: network unreachable resolving
> 'americanautowire.com/A/IN': 2001:500:856e::30#53
> 25-Nov-2024 23:01:56.731 lame-servers: info: network unreachable resolving
> 'americanautowire.com/A/IN': 2001:501:b1f9::30#53
> 25-Nov-2024 23:01:56.731 lame-servers: info: network unreachable resolving
> 'americanautowire.com/A/IN': 2001:503:39c1::30#53
> 25-Nov-2024 23:01:56.731 lame-servers: info: network unreachable resolving
> 'americanautowire.com/A/IN': 2001:503:d414::30#53
> 25-Nov-2024 23:01:56.731 lame-servers: info: network unreachable resolving
> 'americanautowire.com/A/IN': 2001:503:83eb::30#53
> 25-Nov-2024 23:01:56.731 lame-servers: info: network unreachable resolving
> 'americanautowire.com/A/IN': 2001:500:d937::30#53
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: ns1.g02.cfdns.net/A
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: ns1.g02.cfdns.net/AAAA
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: ns2.g02.cfdns.biz/A
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: ns2.g02.cfdns.biz/AAAA
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: ns3.g02.cfdns.info/A
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: ns3.g02.cfdns.info/AAAA
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: ns4.g02.cfdns.co.uk/A
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: ns4.g02.cfdns.co.uk/AAAA
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: net/NS
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: net/NS
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: biz/NS
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: biz/NS
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: info/NS
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: info/NS
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: uk/NS
> 25-Nov-2024 23:01:56.815 resolver: debug 1: fetch: uk/NS
> 25-Nov-2024 23:01:56.815 lame-servers: info: network unreachable resolving
> 'net/NS/IN': 2001:503:ba3e::2:30#53
> 25-Nov-2024 23:01:56.815 lame-servers: info: network unreachable resolving
> 'biz/NS/IN': 2001:503:ba3e::2:30#53
> 25-Nov-2024 23:01:56.815 lame-servers: info: network unreachable resolving
> 'info/NS/IN': 2001:503:ba3e::2:30#53
> 25-Nov-2024 23:01:56.815 query-errors: debug 1: client @0x7fb2d06ea000
> 172.21.0.10#51271 (americanautowire.com): query failed (failure) for
> americanautowire.com/IN/A at query.c:7814
>
> We can ignore all the IPv6 stuff. But what I don't see is anything that
> explains the failure. Even more oddly is that if I just make the query
> several times in a row, it eventually works just fine.
>
> Is there anything I can do to produce any more messaging in the logs other
> than debug? Or has anyone seen anything like this before?
>
> Thank you
> -G
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
